CVE-2008-5204

Name of the Vulnerable Software and Affected Versions PowerAward version 1.1.0 RC1

Description The issue allows remote attackers to include and execute arbitrary local files via directory traversal sequences. This is possible when the register globals setting is enabled. The vulnerability can be exploited through various API endpoints, including /agb.php, /angemeldet.php, /anmelden.php, /charts.php, /external vote.php, /guestbook.php, /impressum.php, /index.php, /rss-reader.php, /statistic.php, /teilnehmer.php, /topsites.php, /votecode.php, /voting.php, and /winner.php, by manipulating the lang parameter.

Recommendations For PowerAward version 1.1.0 RC1, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the vulnerable API endpoints until a patch is available. Avoid using the lang parameter in the affected endpoints until the issue is resolved.