CVE-2008-6290

Name of the Vulnerable Software and Affected Versions: nicLOR Sito (affected versions not specified)

Description: The issue allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the page file parameter in includefile.php, particularly when register globals is enabled or magic quotes gpc is disabled.

Recommendations: For all affected versions, consider disabling the register globals setting and enabling magic quotes gpc to minimize the risk of exploitation. As a temporary workaround, restrict access to the includefile.php file to prevent remote attackers from including and executing arbitrary files. Avoid using the page file parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.