Directory traversal vulnerability in collect.php in CYASK 3.x allows remote malicious users to read arbitrary files via a .. (dot dot) in the neturl parameter.
This vulnerability leads to that the attacker can read any file on your webserver when it installs cyask
The $neturl variable in collectphp is short of enough check When the attacker registers a new user, he can pass
the user check and then submit any filename to $neturl so that collectphp can read it
The vuln code like this:
$url=get_refer ...
Vulmon