CVE-2009-1246

Name of the Vulnerable Software and Affected Versions Blogplus version 1.0

Description The issue allows remote attackers to include and execute arbitrary local files via directory traversal vulnerabilities. This can be achieved by manipulating specific parameters in various PHP files, including row mysql blocks center down[file] in "includes/block center down.php", row mysql blocks center top[file] in "includes/block center top.php", row mysql blocks left[file] in "includes/block left.php", row mysql blocks right[file] in "includes/block right.php", and row mysql bloginfo[theme] in "includes/window down.php" and "includes/window top.php".

Recommendations For Blogplus version 1.0, consider restricting access to the vulnerable parameters row mysql blocks center down[file], row mysql blocks center top[file], row mysql blocks left[file], row mysql blocks right[file], and row mysql bloginfo[theme] to minimize the risk of exploitation. Additionally, avoid using the .. (dot dot) notation in these parameters until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.