Sahana disaster management system 0.6.2.2, and possibly other versions, allows remote attackers to bypass intended access restrictions and disable administrator authentication via a direct request to stream.php in an acl_enable_acl action to the admin module.
http://www.securityfocus.com/archive/1/510164/100/0/threaded
http://sourceforge.net/tracker/?func=detail&aid=2970786&group_id=127855&atid=709778