CVE-2009-2331

Name of the Vulnerable Software and Affected Versions CMS Chainuk versions 1.2 and earlier

Description The issue allows remote attackers to inject arbitrary PHP code into specific files. This can be achieved in two ways: (1) by injecting code into settings.php via the menu parameter to "admin settings.php", or (2) by injecting code into a content/=NUMBER.php file via the title parameter to "admin new.php".

Recommendations For CMS Chainuk versions 1.2 and earlier, as a temporary workaround, consider restricting access to the "admin settings.php" and "admin new.php" files until a patch is available. Avoid using the menu parameter in "admin settings.php" and the title parameter in "admin new.php" to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.