CVE-2006-4881

Name of the Vulnerable Software and Affected Versions David Bennett PHP-Post (PHPp) versions 1.0 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters in different files, including the replyuser parameter in "pm.php", the txt jumpto parameter in "dropdown.php", the txt error and txt templatenotexist parameters in "template.php", the split parameter in files such as "editprofile.php", "search.php", "index.php", and "pm.php", and the txt login parameter in "loginline.php". Additionally, remote authenticated users can inject arbitrary web script or HTML via the txt logout parameter in "loginline.php".

Recommendations For David Bennett PHP-Post (PHPp) versions 1.0 and earlier, consider disabling the vulnerable parameters, such as replyuser, txt jumpto, txt error, txt templatenotexist, split, txt login, and txt logout, until a patch is available. Restrict access to the affected files, including "pm.php", "dropdown.php", "template.php", "editprofile.php", "search.php", "index.php", and "loginline.php", to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.