CVE-2006-2745

Name of the Vulnerable Software and Affected Versions F@cile Interactive Web versions 0.8.5 and earlier

Description The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled. This can be achieved via a URL in the pathfile parameter in files such as p-editpage.php and p-editbox.php, and the mytheme and myskin parameters in multiple "p-themes" index.inc.php files, including lowgraphic, classic, puzzle, simple, and ciao.

Recommendations For F@cile Interactive Web versions 0.8.5 and earlier, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the p-editpage.php, p-editbox.php, and "p-themes" index.inc.php files, and avoid using the pathfile, mytheme, and myskin parameters in these files until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.