CVE-2009-4426

Name of the Vulnerable Software and Affected Versions Ignition version 1.2

Description The issue concerns multiple directory traversal vulnerabilities. When magic quotes gpc is disabled, remote attackers can include and execute arbitrary local files. This is achieved by using a .. (dot dot) in the blog parameter to specific API endpoints, such as "comment.php" and "view.php".

Recommendations For Ignition version 1.2, consider disabling the execution of files from user-inputted paths until a patch is available. Restrict access to the "comment.php" and "view.php" endpoints to minimize the risk of exploitation. Avoid using the blog parameter in these endpoints until the issue is resolved. Enable magic quotes gpc to prevent attackers from injecting malicious input.