CVE-2008-1856

Name of the Vulnerable Software and Affected Versions LinPHA versions 1.3.3 and earlier

Description The issue allows remote attackers to conduct directory traversal attacks and execute arbitrary local files. This is achieved by modifying the configuration file through a settings action in db handler.php without requiring authentication. The attackers can place directory traversal sequences into the maps type configuration setting and then send a request to "maps view.php", causing "map.main.class.php" to use the modified configuration.

Recommendations For LinPHA versions 1.3.3 and earlier, consider restricting access to the db handler.php file and the maps view.php endpoint to require authentication for settings actions, and avoid using directory traversal sequences in the maps type configuration setting until a fix is available.