CVE-2008-4181

Name of the Vulnerable Software and Affected Versions Fantastico De Luxe module versions prior to 2.10.4 r19

Description The issue allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) or absolute pathname in the fantasticopath parameter. This can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL in certain environments.

Recommendations For versions prior to 2.10.4 r19, update to version 2.10.4 r19 or later to resolve the issue. As a temporary workaround, consider disabling the cPanel PHP Register Globals feature to minimize the risk of exploitation. Restrict access to the includes/xml.php file to prevent unauthorized inclusion and execution of local files. Avoid using the fantasticopath parameter with untrusted input until the issue is resolved.