CVE-2006-5421

Name of the Vulnerable Software and Affected Versions WSN Forum versions 1.3.4 and earlier

Description The issue allows remote attackers to execute arbitrary PHP code by modifying the pathname in the pathtoconfig parameter to point to an avatar image containing PHP code. This code is then accessed from prestart.php. It's worth noting that while this issue has been associated with remote file inclusion in the context of an attack, the underlying problem is distinct from this classification.

Recommendations For WSN Forum versions 1.3.4 and earlier, consider restricting access to the prestart.php file and limiting the ability to modify the pathtoconfig parameter to prevent arbitrary PHP code execution until a fix is available. Additionally, as a temporary workaround, avoid using the pathtoconfig parameter to reference avatar images that could contain PHP code. At the moment, there is no information about a newer version that contains a fix for this vulnerability.