CVE-2008-6659

Name of the Vulnerable Software and Affected Versions Simple Machines Forum (SMF) versions 1.0 through 1.0.14 Simple Machines Forum (SMF) versions 1.1 through 1.1.6

Description The issue allows remote authenticated users to configure arbitrary local files for execution via directory traversal sequences in the value of the theme dir field during a jsoption action. This is related to Sources/QueryString.php and Sources/Themes.php. For example, a local .gif file in attachments/ with PHP code that was uploaded through a profile2 action to index.php can be executed.

Recommendations For Simple Machines Forum (SMF) versions 1.0 through 1.0.14, update to version 1.0.15 or later. For Simple Machines Forum (SMF) versions 1.1 through 1.1.6, update to version 1.1.7 or later.