CVE-2008-5949

Name of the Vulnerable Software and Affected Versions ccTiddly versions 1.7.4 through 1.7.6

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the cct base parameter to several PHP files, including (1) index.php, (2) handle/proxy.php, (3) header.php, (4) include.php, (5) workspace.php in includes/, and (6) plugins/RSS/files/rss.php.

Recommendations For ccTiddly versions 1.7.4 through 1.7.6, consider disabling the cct base parameter in the affected PHP files until a patch is available. Restrict access to the affected PHP files, such as index.php, handle/proxy.php, header.php, include.php, workspace.php, and plugins/RSS/files/rss.php, to minimize the risk of exploitation. Avoid using the cct base parameter in the affected API endpoints until the issue is resolved.