CVE-2009-4421

Description

Directory traversal vulnerability in languages_cgi.php in Simple PHP Blog 0.5.1 and earlier allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the blog_language1 parameter.

Affected products

• alexander_palmo / simple_php_blog0.5.1
• alexander_palmo / simple_php_blog0.3.7c – 0.3.7c
• alexander_palmo / simple_php_blog0.4.0 – 0.4.0
• alexander_palmo / simple_php_blog0.4.5 – 0.4.5
• alexander_palmo / simple_php_blog0.4.6 – 0.4.6
• alexander_palmo / simple_php_blog0.4.7 – 0.4.7
• alexander_palmo / simple_php_blog0.4.7.1 – 0.4.7.1
• alexander_palmo / simple_php_blog0.5.0.1 – 0.5.0.1

References

• MISChttp://www.securityfocus.com/bid/37434
• MISChttp://www.securityfocus.com/archive/1/508546/100/0/threaded
• MISChttp://archives.neohapsis.com/archives/fulldisclosure/2009-12/0398.html
• MISChttps://exchange.xforce.ibmcloud.com/vulnerabilities/54970