admin/delitem.php in RoomPHPlanning 1.6 does not require authentication, which allows remote attackers to (1) delete arbitrary users via the user parameter or (2) delete arbitrary rooms via the room parameter.Referenceshttp://secunia.com/advisories/35237http://www.exploit-db.com/exploits/8797
