CVE-2006-5459

Name of the Vulnerable Software and Affected Versions Download-Engine versions 1.4.2 and earlier

Description The issue allows remote attackers to execute arbitrary PHP code. This can be achieved via a URL in the $ ENGINE[eng dir] and possibly spaw root parameters in "admin/includes/spaw/spaw script.js.php", and the $ ENGINE[eng dir], $spaw root, $spaw dir, and $spaw base url parameters in "admin/includes/spaw/config/spaw control.config.php".

Recommendations For Download-Engine versions 1.4.2 and earlier, consider disabling the spaw script.js.php and spaw control.config.php files until a patch is available. Restrict access to the admin/includes/spaw directory to minimize the risk of exploitation. Avoid using the $ ENGINE[eng dir], spaw root, $spaw root, $spaw dir, and $spaw base url parameters in the affected files until the issue is resolved.