CVE-2009-0572

Name of the Vulnerable Software and Affected Versions FlatnuX CMS (affected versions not specified)

Description The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled and magic quotes gpc is disabled. This can be achieved by providing a URL in the FNROOTPATH parameter to specific API endpoints, such as "index.php" and "filemanager.php".

Recommendations For all affected versions, ensure register globals is disabled and magic quotes gpc is enabled to prevent exploitation. As a temporary workaround, consider restricting access to the "index.php" and "filemanager.php" endpoints until the issue is resolved. Avoid using the FNROOTPATH parameter in these endpoints until the issue is fixed.