CVE-2008-6877

Name of the Vulnerable Software and Affected Versions: Zen Cart versions 1.3.8 through 1.3.8a

Description: A directory traversal issue exists, allowing remote attackers to include and execute arbitrary local files via a .. (dot dot) in the loader file parameter in admin/includes/initsystem.php when .htaccess is not supported. The vendor disputes the severity of this issue, stating it could at worst reveal some local file paths.

Recommendations: For Zen Cart versions 1.3.8 through 1.3.8a, consider restricting access to the admin/includes/initsystem.php file until a patch is available, and avoid using the loader file parameter with untrusted input.