CVE-2010-1055

Name of the Vulnerable Software and Affected Versions osDate versions 2.1.9 through 2.1.9 osDate versions 2.5.4 through 2.5.4

Description The issue allows remote attackers to execute arbitrary PHP code when magic quotes gpc is disabled and register globals is enabled. This can be achieved via a URL in the config[forum installed] parameter to API endpoints such as "forum/adminLogin.php" and "forum/userLogin.php".

Recommendations For osDate version 2.1.9, consider disabling the config[forum installed] parameter or restricting access to the "forum/adminLogin.php" and "forum/userLogin.php" API endpoints until a patch is available. For osDate version 2.5.4, consider disabling the config[forum installed] parameter or restricting access to the "forum/adminLogin.php" and "forum/userLogin.php" API endpoints until a patch is available.