Advanced Guestbook contains a flaw that allows a remote attacker to view arbitrary files on the system outside of the web path. The issue is due to the 'index.php' not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'lang' cookie parameter.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Advanced Guestbook index.php lang Cookie Variable Path Disclosure
Secunia Advisory ID:25153 Other Advisory URL: http://www.netvigilance.com/advisory0013 Other Advisory URL: http://securityreason.com/securityalert/2662 Other Advisory URL: http://www.netvigilance.com/advisory0011 Other Advisory URL: http://www.netvigilance.com/advisory0012 Mail List Post: http://www.securityfocus.com/archive/1/archive/1/467937/100/0/threaded Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-05/0099.html Mail List Post: http://www.securityfocus.com/archive/1/archive/1/467941/100/0/threaded ISS X-Force ID: 34152 FrSIRT Advisory: ADV-2007-1726 CVE-2007-0609 Bugtraq ID: 23876