CVE-2006-1767

Name of the Vulnerable Software and Affected Versions INDEXU versions 5.0.0 through 5.0.1

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the theme path parameter in multiple PHP files, including index.php, become editor.php, add.php, bad link.php, browse.php, detail.php, fav.php, get rated.php, login.php, mailing list.php, new.php, modify.php, pick.php, power search.php, rating.php, register.php, review.php, rss.php, search.php, send pwd.php, sendmail.php, tell friend.php, top rated.php, user detail.php, and user search.php. Additionally, the base path parameter in invoice.php is also vulnerable.

Recommendations For INDEXU versions 5.0.0 and 5.0.1, consider disabling the theme path parameter in the affected PHP files and restricting access to the base path parameter in invoice.php until a patch is available. Avoid using the theme path and base path parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.