CVE-2008-6878

Name of the Vulnerable Software and Affected Versions: Zen Cart versions 1.3.8a, 1.3.8, and earlier

Description: A directory traversal issue exists in the admin/includes/languages/english.php file, allowing remote attackers to include and execute arbitrary local files via a .. (dot dot) in the SESSION[language] parameter when .htaccess is not supported. This could potentially reveal some local file paths.

Recommendations: For Zen Cart versions 1.3.8a, 1.3.8, and earlier, consider restricting access to the admin/includes/languages/english.php file until a fix is available. As a temporary workaround, avoid using the SESSION[language] parameter in sensitive operations to minimize the risk of exploitation.