Secunia's latest advisory points out a vulnerability in DreamStats, which could be exploited by remote attackers to execute arbitrary commands. This issue is due to an input validation error in the "index.php" script that does not validate the "rootpath" parameter, which could be exploited by remote attackers to include malicious PHP scripts and execute arbitrary commands with the privileges of the web server.

The products affected by this vulnerability are DreamStats version 4.2 and prior. Users have been urged to upgrade to DreamStats version 5.0, which is available from here.

For the uninitiated, DreamStats is a fully-configurable, PHP-based Server Statistic viewer to integrate in any web site for Call of Duty, Call of Duty United Offensive or Call of Duty 2. DreamStats works on Windows and Linux OS with PHP 4 or higher and MySQL 4 or higher. DreamStats shows a server with the player names, scores and pings in the server. It was created so people who visit a web site may see what's going on in the server.