CVE-2007-3539

Name of the Vulnerable Software and Affected Versions QuickTicket versions 1.2 build:20070621 QuickTalk Forum versions 1.3 through 1.5.0.3

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters in different files, including t and f parameters in "qti ind post.php" and "qti ind post prt.php", dir and order parameters in "qti ind member.php", id parameter in "qti usr.php", and the f parameter in "qti ind topic.php".

Recommendations For QuickTicket version 1.2 build:20070621, consider restricting access to the qti ind post.php, qti ind post prt.php, qti ind member.php, and qti usr.php files until a patch is available. For QuickTalk Forum versions 1.3 through 1.5.0.3, avoid using the id parameter in "qti usr.php" and the f parameter in "qti ind topic.php" until the issue is resolved. As a temporary workaround, consider disabling the execution of SQL commands via the t, f, dir, and order parameters in the affected files until a patch is available.