CVE-2006-3611

Name of the Vulnerable Software and Affected Versions Phorum version 5

Description The issue allows remote authenticated users to include and execute arbitrary local files via directory traversal sequences in the template parameter. This can be achieved by injecting PHP sequences into a log file, which is then included by pm.php.

Recommendations For Phorum version 5, consider restricting access to the pm.php file and the template parameter to minimize the risk of exploitation. As a temporary workaround, avoid using the template parameter in the affected pm.php file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.