CVE-2006-7172

Name of the Vulnerable Software and Affected Versions PHP-Stats versions 0.1.9.1b and earlier

Description The issue allows remote attackers to execute arbitrary code via SQL injection vulnerabilities. This can be achieved by providing a leading dotted-quad IP address string in either the PC-REMOTE-ADDR HTTP header, which is inserted into $ SERVER['HTTP PC REMOTE ADDR'], or the ip parameter.

Recommendations For PHP-Stats versions 0.1.9.1b and earlier, consider disabling the php-stats.recphp.php script until a patch is available to prevent exploitation of the SQL injection vulnerabilities. Restrict access to the ip parameter in the affected script to minimize the risk of exploitation. Avoid using the PC-REMOTE-ADDR HTTP header with untrusted input until the issue is resolved.