CVE-2006-0759

Name of the Vulnerable Software and Affected Versions HiveMail versions 1.3 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands via several parameters, including the contactgroupid parameter in "addressbook.update.php", the messageid parameter in "addressbook.add.php", and the folderid parameter in "folders.update.php". Additionally, remote authenticated users can execute arbitrary SQL commands via the folderid parameter in "index.php". The vulnerability arises from improper handling of $ SERVER['PHP SELF'].

Recommendations For HiveMail versions 1.3 and earlier, as a temporary workaround, consider restricting access to the vulnerable scripts, such as "addressbook.update.php", "addressbook.add.php", "folders.update.php", and "index.php", until a patch is available. Avoid using the parameters contactgroupid, messageid, and folderid in the affected scripts until the issue is resolved.