CVE-2009-4254

Name of the Vulnerable Software and Affected Versions PowerPhlogger version 2.2.5

Description The issue allows remote attackers to obtain sensitive information via a direct request to several files in the include/ directory, including (1) edCss.inc.php, (2) foot.inc.php, (3) get csscolors.inc.php, (4) head.inc.php, (5) head stuff.inc.php, (6) loglist.inc.php, and (7) pphlogger send.inc.php. This is possible because these files reveal the installation path in an error message.

Recommendations For PowerPhlogger version 2.2.5, consider restricting direct access to the files in the include/ directory to prevent sensitive information disclosure. As a temporary workaround, restrict access to the vulnerable files edCss.inc.php, foot.inc.php, get csscolors.inc.php, head.inc.php, head stuff.inc.php, loglist.inc.php, and pphlogger send.inc.php to minimize the risk of exploitation.