CVE-2008-6659

Simple Machines Forum - Path Traversal

Title source: rule

Description

Directory traversal vulnerability in index.php in Simple Machines Forum (SMF) 1.0 before 1.0.15 and 1.1 before 1.1.7 allows remote authenticated users to configure arbitrary local files for execution via directory traversal sequences in the value of the theme_dir field during a jsoption action, related to Sources/QueryString.php and Sources/Themes.php, as demonstrated by a local .gif file in attachments/ with PHP code that was uploaded through a profile2 action to index.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by ~elmysterio · perlwebappsphp

https://www.exploit-db.com/exploits/7011

View Code ZIP pw:eip

References (5)

[Exploit] http://www.securityfocus.com/bid/32139

[Vendor Advisory] http://secunia.com/advisories/32516

[Vendor Advisory] http://www.simplemachines.org/community/index.php?topic=272861.0

[Third Party Advisory, VDB Entry] http://osvdb.org/50072

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/7011

Scores

EPSS 0.0754

EPSS Percentile 91.8%

Details

CWE

CWE-22

Status published

Products (14)

simple_machines/simple_machines_forum 1.0.5

simple_machines/simple_machines_forum 1.0.6

simple_machines/simple_machines_forum 1.0.7

simple_machines/simple_machines_forum 1.0.11

simple_machines/simple_machines_forum 1.0.12

simple_machines/simple_machines_forum 1.1.1

simple_machines/simple_machines_forum 1.1.2

simple_machines/simple_machines_forum 1.1.3

simple_machines/simple_machines_forum 1.1.4

simple_machines/simple_machines_forum 1.1.5

... and 4 more

Published Apr 07, 2009

Tracked Since Feb 18, 2026