CVE-2006-1204

Name of the Vulnerable Software and Affected Versions txtForum versions 1.0.4-dev and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters in different PHP files, including index.php, new topic.php, profile.php, reply.php, and view topic.php. The vulnerable parameters include prev, next, rand5, r username, r loc, r num, r family name, r icq, r yahoo, r aim, r homepage, r interests, r about, selected1, selected0, signature selected1, signature selected0, smile selected1, smile selected0, ubb selected1, ubb selected0, quote, tid, sticked, and mid.

Recommendations For txtForum versions 1.0.4-dev and earlier, as a temporary workaround, consider restricting access to the vulnerable parameters until a patch is available. Avoid using the parameters prev, next, rand5, r username, r loc, r num, r family name, r icq, r yahoo, r aim, r homepage, r interests, r about, selected1, selected0, signature selected1, signature selected0, smile selected1, smile selected0, ubb selected1, ubb selected0, quote, tid, sticked, and mid in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.