CVE-2009-5076 Information

Description

CRE Loaded before 6.2.14 and possibly other versions before 6.3.x allows remote attackers to bypass authentication and gain administrator privileges via a request with (1) login.php or (2) password_forgotten.php appended as the PATH_INFO which bypasses a check that uses PHP_SELF which is not properly handled by (a) includes/application_top.php and (b) admin/includes/application_top.php as exploited in the wild in 2009.

Reference

http://hosting-4-creloaded.com/node/116 https://www.creloaded.com/fdm_file_detail.php?file_id=191