CVE-2006-4767

Name of the Vulnerable Software and Affected Versions Stefan Ernst Newsscript (aka WM-News) version 0.5beta

Description The issue allows remote attackers to read and write arbitrary local files. This is achieved through directory traversal vulnerabilities, specifically by using a .. (dot dot) sequence in parameters. For example, the ide parameter in "modify.php" and the var parameter in "add go.php" are vulnerable.

Recommendations For version 0.5beta, consider restricting access to the "modify.php" and "add go.php" scripts until a fix is available, and avoid using the ide and var parameters in these scripts to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.