CVE-2008-6544

Name of the Vulnerable Software and Affected Versions Simple Machines Forum (SMF) version 1.1.4

Description The issue allows remote attackers to potentially execute arbitrary PHP code. This is achieved via a URL in the settings[default theme dir] parameter to "Sources/Subs-Graphics.php" and "Sources/Themes.php" API endpoints. However, it's noted that the files contain a protection mechanism against direct requests, which has led to disputes about the issue from multiple third parties.

Recommendations For Simple Machines Forum (SMF) version 1.1.4, consider restricting access to the settings[default theme dir] parameter in the affected API endpoints as a temporary workaround until a patch is available. Avoid using the settings[default theme dir] parameter in the "Sources/Subs-Graphics.php" and "Sources/Themes.php" endpoints to minimize the risk of exploitation.