CVE-2006-4673

Name of the Vulnerable Software and Affected Versions PHP-Fusion versions 6.01.4 and earlier

Description The issue allows remote attackers to conduct SQL injection attacks. This is due to a global variable overwrite vulnerability in maincore.php, which uses the extract function on superglobals. The vulnerability can be exploited via the SERVER[REMOTE ADDR] parameter to news.php.

Recommendations For PHP-Fusion versions 6.01.4 and earlier, consider restricting access to the news.php endpoint until a fix is available. As a temporary workaround, avoid using the SERVER[REMOTE ADDR] parameter in the affected API endpoint.