CVE-2008-2982

Name of the Vulnerable Software and Affected Versions HomePH Design version 2.10 RC2

Description The issue allows remote attackers to include and execute arbitrary local files via directory traversal sequences. This can be achieved by manipulating the thumb template parameter in the "admin/templates/template thumbnail.php" file and the language parameter in several files, including "account/account.php", "downloads/downloads.php", "forum/forum.php", "fotogalerie/delete.php", and "fotogalerie/fotogalerie.php" in the "admin/features/" directory. The attack is possible when the register globals setting is enabled.

Recommendations For HomePH Design version 2.10 RC2, consider disabling the register globals setting to prevent exploitation. As a temporary workaround, restrict access to the vulnerable parameters thumb template and language in the affected files until a patch is available. Avoid using directory traversal sequences in the thumb template parameter to the "admin/templates/template thumbnail.php" file and the language parameter to the files in the "admin/features/" directory.