CVE-2009-1317

Name of the Vulnerable Software and Affected Versions Aqua CMS version 1.1

Description The issue concerns SQL injection vulnerabilities. These vulnerabilities allow remote attackers to execute arbitrary SQL commands. This can be achieved via the userSID cookie parameter to "droplets/functions/base.php" and the username parameter to "admin/index.php", but only when magic quotes gpc is disabled.

Recommendations For Aqua CMS version 1.1, consider disabling the magic quotes gpc option to prevent SQL injection attacks. As a temporary workaround, restrict access to the "droplets/functions/base.php" and "admin/index.php" files until a patch is available. Avoid using the userSID cookie parameter and the username parameter in the affected API endpoints until the issue is resolved.