CVE-2009-0729

Name of the Vulnerable Software and Affected Versions Page Engine CMS versions 2.0 Basic and Pro

Description The issue allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the fPrefix parameter to various API endpoints, including (1) "modules/recent poll include.php", (2) "modules/login include.php", (3) "modules/statistics include.php", and (4) "configuration.inc.php" in "includes/".

Recommendations For Page Engine CMS version 2.0 Basic, restrict access to the vulnerable modules and files until a patch is available. For Page Engine CMS version 2.0 Pro, avoid using the fPrefix parameter in the affected API endpoints until the issue is resolved. As a temporary workaround, consider disabling the execution of arbitrary local files via directory traversal sequences in the affected modules and files.