CVE-2009-4805

Name of the Vulnerable Software and Affected Versions EZ-Blog version Beta 1

Description The issue concerns SQL injection vulnerabilities. When magic quotes gpc is disabled, remote attackers can execute arbitrary SQL commands. This can be achieved via the storyid parameter to "public/view.php" or the kill parameter to "admin/remove.php".

Recommendations For EZ-Blog version Beta 1, consider disabling the storyid and kill parameters in the respective API endpoints "public/view.php" and "admin/remove.php" until a patch is available. Restrict access to these endpoints to minimize the risk of exploitation. Enable magic quotes gpc to prevent SQL injection attacks.