CVE-2006-1828

Name of the Vulnerable Software and Affected Versions PHP121 version 1.4

Description The issue allows remote attackers to execute arbitrary SQL commands and potentially execute arbitrary code. This is achieved via the sess username variable, which is set by the php121un HTTP COOKIE parameter. The parameter is used in multiple files, including php121login.php. The code execution occurs because the SQL query results are used in an include statement.

Recommendations For PHP121 version 1.4, consider restricting access to the php121un HTTP COOKIE parameter and the sess username variable to minimize the risk of exploitation. As a temporary workaround, avoid using the sess username variable in SQL queries until a patch is available.