CVE-2008-1885

Name of the Vulnerable Software and Affected Versions Nefficient Download version 1.0.5

Description The issue allows remote attackers to download arbitrary code onto a client system. This can be achieved by exploiting a directory traversal vulnerability in the NeffyLauncher ActiveX control. The vulnerability can be triggered by including a .. (dot dot) in the SkinPath parameter and a .zip URL in the HttpSkin parameter. This can potentially be leveraged for code execution by writing to a Startup folder.

Recommendations For version 1.0.5, consider disabling the NeffyLauncher ActiveX control until a patch is available to prevent exploitation of the directory traversal vulnerability. Restrict access to the SkinPath and HttpSkin parameters to minimize the risk of downloading arbitrary code. Avoid using the SkinPath and HttpSkin parameters in the NeffyLauncher ActiveX control until the issue is resolved.