Gu1Ll4Um3R0M41N

**Name of the Vulnerable Software and Affected Versions** IceBB versions 1.0-rc6 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the X-Forwarded-For HTTP header in the admin/index.php file. **Recommendations** For IceBB version 1.0-rc6, consider restricting access to the admin/index.php file until a patch is available. As a temporary workaround, avoid using the X-Forwarded-For HTTP header in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MetaForum version 0.513 Beta **Description** The issue concerns an unrestricted file upload vulnerability. It allows remote attackers to upload and execute arbitrary scripts by exploiting the fact that the software restricts file types based on the MIME type in the Content-type HTTP header. This can be done by using an image MIME type with a filename containing an executable extension, such as `.php`. **Recommendations** For MetaForum version 0.513 Beta, consider restricting file uploads to only necessary and validated types, and ensure that the validation checks both the MIME type and the file extension to prevent uploading executable scripts. As a temporary workaround, consider disabling the file upload functionality in `usercp.php` until a proper fix is implemented.

**Name of the Vulnerable Software and Affected Versions** BTI-Tracker version 1.3.2 **Description** A directory traversal issue exists, allowing remote attackers to delete arbitrary files. This is achieved by using ".." sequences in the `TORRENTSDIR` parameter within a prune action. **Recommendations** For BTI-Tracker version 1.3.2, as a temporary workaround, consider restricting access to the prune action in include/prune torrents.php to minimize the risk of exploitation. Avoid using the `TORRENTSDIR` parameter with untrusted input until the issue is resolved.