CVE-2009-2132

Description

Directory traversal vulnerability in global.php in 4images before 1.7.7, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the l parameter.

Affected products

• 4Homepages / 4images1.7.6
• 4Homepages / 4images1.0 – 1.0
• 4Homepages / 4images1.0 – 1.0
• 4Homepages / 4images1.5 – 1.5
• 4Homepages / 4images1.6 – 1.6
• 4Homepages / 4images1.6.1 – 1.6.1
• 4Homepages / 4images1.7 – 1.7
• 4Homepages / 4images1.7.1 – 1.7.1
• 4Homepages / 4images1.7.2 – 1.7.2
• 4Homepages / 4images1.7.3 – 1.7.3
• 4Homepages / 4images1.7.4 – 1.7.4
• 4Homepages / 4images1.7.5 – 1.7.5

References

• VENDOR_ADVISORYhttp://secunia.com/advisories/35427
• MISChttp://bbs.wolvez.org/topic/56/
• MISChttp://www.4homepages.de/forum/index.php?topic=15186.0