CVE-2008-2976

Name of the Vulnerable Software and Affected Versions TinX/cms version 1.1

Description The issue allows remote attackers to include and execute arbitrary local files via directory traversal sequences in certain parameters. Specifically, this can be done through the language parameter to API endpoints such as "include me.php", "admin/ajax.php", and "admin/objects/catalog.ajaxhandler.php", and the prefix parameter to "admin/inc/config.php". This is possible when register globals is enabled.

Recommendations For TinX/cms version 1.1, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the vulnerable API endpoints and parameters, such as language and prefix, until a patch is available. As a temporary workaround, consider removing or restricting the execution of files "include me.php", "admin/ajax.php", "admin/objects/catalog.ajaxhandler.php", and "admin/inc/config.php" to minimize the risk of exploitation.