CVE-2006-4429

Name of the Vulnerable Software and Affected Versions PHlyMail Lite versions 3.4.4 and earlier

Description A remote file inclusion issue allows attackers to execute arbitrary PHP code via a URL in the PM [path][handler] parameter. This is a different attack vector. Note that this issue has been disputed by a third party, citing the IN PHM declaration as a preventative measure against direct file calls.

Recommendations For PHlyMail Lite versions 3.4.4 and earlier, consider restricting access to the handlers/email/mod.output.php file until a fix is available. As a temporary workaround, avoid using the PM [path][handler] parameter in URLs to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.