CVE-2008-6592

Name of the Vulnerable Software and Affected Versions Thumbs-Up version 1.12 LightNEasy "no database" (aka flat) SQLite versions 1.2.2 and earlier

Description The issue allows remote attackers to copy, rename, and read arbitrary files via directory traversal sequences in the image parameter with a modified cache dir parameter containing a %00 (encoded null byte).

Recommendations For Thumbs-Up version 1.12, consider restricting access to the thumbsup.php file until a patch is available. For LightNEasy "no database" (aka flat), restrict the use of the image parameter in the affected endpoint to minimize the risk of exploitation. For SQLite versions 1.2.2 and earlier, avoid using the cache dir parameter with encoded null bytes (%00) in the affected API endpoint until the issue is resolved.