CVE-2006-5137

Name of the Vulnerable Software and Affected Versions Groupee UBB.threads version 6.5.1.1

Description The issue concerns multiple direct static code injection vulnerabilities. These vulnerabilities allow remote attackers to inject PHP code via specific parameters, including the theme[] array parameter to "admin/doedittheme.php", which is then injected into "includes/theme.inc.php", and the config[] array parameter to "admin/doeditconfig.php", with execution via "includes/config.inc.php". Additionally, attackers can inject a reference to PHP code via a URL in the config[path] parameter and execute it through various scripts, including "dorateuser.php" and "calendar.php".

Recommendations For Groupee UBB.threads version 6.5.1.1, consider disabling access to the "admin/doedittheme.php" and "admin/doeditconfig.php" scripts until a patch is available. Restrict the use of the theme[] and config[] array parameters to minimize the risk of exploitation. Avoid using the config[path] parameter with untrusted input in scripts like "dorateuser.php" and "calendar.php" to prevent code execution.