CVE-2008-1918

Name of the Vulnerable Software and Affected Versions PHP-Fusion versions 6.00.307 through 6.01.14 PHP-Fusion version 7.00.2

Description The issue allows remote authenticated users to execute arbitrary SQL commands when magic quotes gpc is disabled and the database table prefix is known. This is achieved via the submit info[] parameter in a link submission action.

Recommendations For PHP-Fusion versions 6.00.307 through 6.01.14, consider disabling the link submission action until a patch is available. For PHP-Fusion version 7.00.2, consider disabling the link submission action until a patch is available. As a temporary workaround, consider restricting access to the submit.php file to minimize the risk of exploitation. Avoid using the submit info[] parameter in the affected link submission action until the issue is resolved.