CVE-2009-2037

Name of the Vulnerable Software and Affected Versions Online Grades & Attendance versions 3.2.5 and earlier

Description The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the GLOBALS[SKIN] parameter to "index.php" and the skin parameter to "admin/admin.php" when register globals is enabled.

Recommendations For versions 3.2.5 and earlier, consider disabling the register globals setting to prevent exploitation. As a temporary workaround, restrict access to the "index.php" and "admin/admin.php" files until a fix is available. Avoid using the GLOBALS[SKIN] and skin parameters in the affected API endpoints until the issue is resolved.