CVE-2006-1994

Name of the Vulnerable Software and Affected Versions dForum versions 1.5 and earlier

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the DFORUM PATH parameter to various PHP files, including "about.php", "admin.php", "anmelden.php", "losethread.php", "config.php", "delpost.php", "delthread.php", "dfcode.php", "download.php", "editanoc.php", "forum.php", "login.php", "makethread.php", "menu.php", "newthread.php", "openthread.php", "overview.php", "post.php", "suchen.php", "user.php", "userconfig.php", "userinfo.php", and "verwalten.php".

Recommendations For dForum versions 1.5 and earlier, as a temporary workaround, consider restricting access to the DFORUM PATH parameter in the affected PHP files until a patch is available.