CVE-2009-2176

Name of the Vulnerable Software and Affected Versions fuzzylime (cms) versions 3.03a and earlier

Description The issue allows remote attackers to include and execute arbitrary local files via directory traversal sequences. This can be achieved by exploiting the list parameter to the "code/confirm.php" endpoint and the template parameter to the "code/display.php" endpoint when magic quotes gpc is disabled.

Recommendations For versions 3.03a and earlier, consider disabling the execution of files from user-supplied input to code/confirm.php and code/display.php until a patch is available. Restrict access to the list and template parameters in these endpoints to minimize the risk of exploitation.