CVE-2006-0444

Name of the Vulnerable Software and Affected Versions Phpclanwebsite (aka PCW) version 1.23.1

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the par parameter in the post function on the forum page and possibly the poll id parameter on the poll page. The poll id vector can also lead to cross-site scripting (XSS) from an unquoted error message for invalid SQL syntax.

Recommendations For Phpclanwebsite (aka PCW) version 1.23.1, consider restricting access to the par parameter in the post function on the forum page and the poll id parameter on the poll page until a patch is available. As a temporary workaround, avoid using the par and poll id parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.