Unrated severityNVD Advisory· Published Aug 25, 2009· Updated Apr 23, 2026

CVE-2008-7064

Description

Directory traversal vulnerability in the get_lang function in global.php in Quicksilver Forums 1.4.2 and earlier, as used in QSF Portal before 1.4.5, when running on Windows, allows remote attackers to include and execute arbitrary local files via a "\" (backslash) in the lang parameter to index.php, which bypasses a protection mechanism that only checks for "/" (forward slash), as demonstrated by uploading and including PHP code in an avatar file.

Affected products

Quicksilver Forums/Quicksilver Forums
cpe:2.3:a:quicksilver_forums:quicksilver_forums:1.4.2:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/32452nvdExploit
secunia.com/advisories/32823nvdVendor Advisory
www.qsfportal.com/index.phpnvdURL Repurposed
osvdb.org/50143nvd
secunia.com/advisories/38670nvd
exchange.xforce.ibmcloud.com/vulnerabilities/46823nvd
exchange.xforce.ibmcloud.com/vulnerabilities/46828nvd
www.exploit-db.com/exploits/7217nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000