CVE-2008-3191

Name of the Vulnerable Software and Affected Versions: mForum version 0.1a

Description: The issue allows remote attackers to execute arbitrary SQL commands due to multiple SQL injection vulnerabilities in the usercp.php file when magic quotes gpc is disabled. This can be achieved via the City, Interest, Email, Icq, msn, or Yahoo Messenger field in an edit profile action.

Recommendations: For mForum version 0.1a, consider disabling the edit profile action in usercp.php until a patch is available, or ensure that magic quotes gpc is enabled to prevent SQL injection attacks. Restrict access to the usercp.php file to minimize the risk of exploitation. Avoid using the City, Interest, Email, Icq, msn, or Yahoo Messenger fields in the edit profile action until the issue is resolved.