Local file inclusion vulnerability (18.10.2011)
We were informed 2011-10-17 that RuubikCMS 1.1.0 has a local file inclusion vulnerability in file /extra/image.php. As a quick fix you should do following:
After line 21 in file /extra/image.php add a new line with following code:
if (strstr($_GET['f'], '../')) die('Error');
Everybody who has the experimental extranet tool (v1.1.0) in use OR does not use extranet but has left folder /extra/ available in their installation should apply the fix as soon as possible.
You can also download the fixed file here: image.zip (unzip and replace as /extra/image.php)