CVE-2007-1633

Name of the Vulnerable Software and Affected Versions: Giorgio Ciranni Splatt Forum version 4.0 RC1

Description: The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter. This can be demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by bbcode ref.php.

Recommendations: For Giorgio Ciranni Splatt Forum version 4.0 RC1, consider restricting access to the bbcode ref.php module until a patch is available. As a temporary workaround, avoid using the name parameter in the bbcode ref.php module to minimize the risk of exploitation.