CVE-2006-6661

Name of the Vulnerable Software and Affected Versions PHP-Update versions 2.7 and earlier

Description The issue allows remote attackers to overwrite arbitrary program variables and execute arbitrary PHP code via multiple vectors that use the extract function. This can be achieved by exploiting the f, newmessage, newusername, adminuser, and permission parameters.

Recommendations For PHP-Update versions 2.7 and earlier, consider updating to a version later than 2.7 to resolve the issue. As a temporary workaround, restrict the use of the extract function with untrusted input to minimize the risk of exploitation. Avoid using the parameters f, newmessage, newusername, adminuser, and permission in the affected blog.php file until the issue is resolved.