CVE-2008-6741

Name of the Vulnerable Software and Affected Versions: Simple Machines Forum (SMF) versions 1.1.4 and earlier

Description: The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by setting the db character set parameter to a multibyte character set, such as big5, which causes the addslashes PHP function to produce a "" (backslash) sequence that does not quote the "'" (single quote) character. An example of exploitation is via a manlabels action to "index.php".

Recommendations: For Simple Machines Forum (SMF) versions 1.1.4 and earlier, consider updating to a version that is not affected by this issue. As a temporary workaround, restrict the use of multibyte character sets for the db character set parameter to minimize the risk of exploitation. Avoid using the db character set parameter with values such as big5 in the affected API endpoint until the issue is resolved.