CVE-2004-1980
Description
Directory traversal in PROPS 0.6.1 allows remote attackers to view arbitrary files via module or format parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory traversal in PROPS 0.6.1 allows remote attackers to view arbitrary files via module or format parameters.
Vulnerability
CVE-2004-1980 affects PROPS version 0.6.1 [1]. The vulnerability is a directory traversal in the glossary_init() function in lib/glossary.php. The module and format parameters are taken from user input without proper sanitization and used to construct file paths [1]. This allows an attacker to include files from outside the intended directory.
Exploitation
An attacker can exploit this by crafting a URL with .. (dot dot) sequences in the module or format parameters [1]. For example, the URL /?module=../config&format=php would reveal the source code of config.php [1]. No authentication is required; the attacker only needs network access to the web server.
Impact
Successful exploitation allows a remote attacker to view the contents of arbitrary files on the server, including PHP source code and configuration files [1]. This can lead to disclosure of sensitive information such as database credentials or other secrets.
Mitigation
The PROPS project has released fixed versions; according to SourceForge release notes for version 0.6.2, released 2004-04-30, this issue is addressed [2]. Users should upgrade to PROPS 0.6.2 or later. No workarounds are documented in the available references.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.