thumbsup.php in Thumbs-Up 1.12, as used in LightNEasy "no database" (aka flat) and SQLite 1.2.2 and earlier, allows remote attackers to copy, rename, and read arbitrary files via directory traversal sequences in the image parameter with a modified cache_dir parameter containing a %00 (encoded null byte).
References
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2009-04-03 18:30
Updated : 2024-02-28 11:21
NVD link : CVE-2008-6592
Mitre link : CVE-2008-6592
CVE.ORG link : CVE-2008-6592
JSON object : View
Products Affected
lightneasy
- lightneasy
sqlite
- sqlite
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')