CVE-2006-1087

Name of the Vulnerable Software and Affected Versions PHP-Stats versions 0.1.9.1 and earlier

Description A direct static code injection issue exists in the modify config action in admin.php, allowing remote authenticated administrators to execute arbitrary PHP code via the option new[compatibility mode] parameter. This parameter is not filtered before being stored in config.php. Additionally, this issue can be exploited by remote unauthenticated attackers when combined with an authentication bypass vulnerability related to the option[admin pass] parameter.

Recommendations For PHP-Stats versions 0.1.9.1 and earlier, update to a version that fixes this issue. As a temporary workaround, consider restricting access to the modify config action in admin.php to prevent exploitation. Avoid using the option new[compatibility mode] parameter in the affected admin.php until the issue is resolved.