CVE-2006-7117

Name of the Vulnerable Software and Affected Versions Kubix versions 0.7 and earlier

Description The issue allows remote attackers to perform directory traversal attacks. This can be achieved in two ways: (1) by including and executing arbitrary local files via ".." sequences in the theme cookie to "index.php", which is not properly handled by "includes/head.php"; and (2) by reading arbitrary files via ".." sequences in the file parameter in an "add dl" action to "adm index.php". For example, an attacker could read "connect.php" using this method.

Recommendations For Kubix versions 0.7 and earlier, consider disabling access to the "index.php" and "adm index.php" files until a patch is available. Restrict the use of the theme cookie and the file parameter in the "add dl" action to minimize the risk of exploitation.