CVE-2006-5421 - Unrecollected Farads
Description
WSN Forum 1.3.4 and earlier allows remote attackers to execute arbitrary PHP code via a modified pathname in the pathtoconfig parameter that points to an avatar image that contains PHP code which is then accessed from prestart.php. NOTE: this issue has been labeled remote file inclusion but that label only applies to the attack not the underlying vulnerability.
Reference
http://secunia.com/advisories/22360 http://www.securityfocus.com/bid/20586 http://www.vupen.com/english/advisories/2006/4081 https://exchange.xforce.ibmcloud.com/vulnerabilities/29635 https://www.exploit-db.com/exploits/2583