CVE-2007-6657

PHP remote file inclusion vulnerability in source/includes/load_forum.php in Mihalism Multi Forum Host 3.0.x and earlier allows remote attackers to execute arbitrary PHP code via a URL in the mfh_root_path parameter.

CVE-2007-6653

Directory traversal vulnerability in download.php in Mihalism Multi Host 2.0.7 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.