CVE-2009-2784 Information

Description

Multiple directory traversal vulnerabilities in dit.cms 1.3 when register_globals is enabled allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the path parameter to index.php in (1) install/ (2) menus/left_rightslideopen/ (3) menus/side_pullout/ (4) menus/side_slideopen/ (5) menus/simple/ (6) menus/top_dropdown/ and (7) menus/topside/; the sitemap parameter to index.php in (8) menus/left_rightslideopen/ (9) menus/side_pullout/ (10) menus/side_slideopen/ (11) menus/top_dropdown/ and (12) menus/topside/; and the (13) relPath parameter to index/index.php. NOTE: PHP remote file inclusion vulnerabilities reportedly also exist for some of these vectors.

Reference

http://secunia.com/advisories/36076 http://www.exploit-db.com/exploits/9310