CVE-2008-6658

Name of the Vulnerable Software and Affected Versions Simple Machines Forum (SMF) versions 1.0 through 1.0.14 Simple Machines Forum (SMF) versions 1.1 through 1.1.6

Description The issue allows remote authenticated administrators to install packages from arbitrary directories via a .. (dot dot) in the package parameter during an install2 action. This can be achieved by exploiting a predictable package filename in attachments/ that was uploaded through a post2 action to "index.php".

Recommendations For Simple Machines Forum (SMF) versions 1.0 through 1.0.14, update to version 1.0.15 or later. For Simple Machines Forum (SMF) versions 1.1 through 1.1.6, update to version 1.1.7 or later.