CVE-2009-0286

Name of the Vulnerable Software and Affected Versions OpenGoo version 1.1

Description The issue allows remote attackers to read arbitrary files due to a directory traversal vulnerability in the upgrade/index.php file. This occurs when register globals is enabled and magic quotes gpc is disabled. The vulnerability can be exploited via a .. (dot dot) in the form data[script class] parameter.

Recommendations For OpenGoo version 1.1, consider disabling the register globals setting and enabling magic quotes gpc to mitigate the risk. Additionally, restrict access to the upgrade/index.php file until a patch is available. Avoid using the form data[script class] parameter in the affected API endpoint until the issue is resolved.