CVE-2009-1677

Name of the Vulnerable Software and Affected Versions: Bitweaver versions 2.6 and earlier

Description: The issue concerns multiple static code injection vulnerabilities in the saveFeed function within the rss/feedcreator.class.php file. This allows remote authenticated users to inject arbitrary PHP code into files by placing PHP sequences into the account's display name setting and then invoking the "boards/boards rss.php" endpoint. Additionally, it might allow remote attackers to inject arbitrary PHP code into files via the HTTP Host header in a request to the "boards/boards rss.php" endpoint.

Recommendations: For Bitweaver versions 2.6 and earlier, update to a version later than 2.6 to resolve the issue. As a temporary workaround, consider restricting access to the saveFeed function in the rss/feedcreator.class.php file until a patch is available. Avoid using the display name setting to inject PHP sequences in the account settings. Restrict modifications to the HTTP Host header to minimize the risk of exploitation.