CVE-2007-4180

Name of the Vulnerable Software and Affected Versions Pluck version 4.3

Description The issue allows remote attackers to potentially read arbitrary local files via a .. (dot dot) in the file parameter in the data/inc/theme.php file when register globals is enabled. However, it's noted that the code uses a fixed argument when invoking fputs, which cannot be used to read files, thus disputing the vulnerability.

Recommendations For Pluck version 4.3, consider disabling the register globals setting to minimize potential risks, as the vulnerability is contingent upon this setting being enabled. Additionally, restrict access to the data/inc/theme.php file to prevent potential exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.