CVE-2005-3236

Name of the Vulnerable Software and Affected Versions Cyphor version 0.19

Description The issue allows remote attackers to execute arbitrary SQL and obtain administrative access. This can be achieved via the fid parameter of "newmsg.php" or the nick parameter of "lostpwd.php". When the SQL syntax is invalid, it can also enable XSS attacks.

Recommendations For Cyphor version 0.19, consider restricting access to the newmsg.php and lostpwd.php scripts until a patch is available. As a temporary workaround, avoid using the fid and nick parameters in these scripts to minimize the risk of exploitation.