CVE-2007-3505

Name of the Vulnerable Software and Affected Versions QuickTalk forum version 1.3

Description The issue allows remote attackers to include and execute arbitrary local files. This is achieved by using a .. (dot dot) sequence in the lang parameter to specific API endpoints, such as "/qtf checkname.php", "/qtf j birth.php", or "/qtf j exists.php".

Recommendations For QuickTalk forum version 1.3, consider restricting access to the lang parameter in the affected API endpoints until a patch is available. As a temporary workaround, disabling the execution of files from arbitrary locations may help mitigate the risk.