CVE-2009-4884

Name of the Vulnerable Software and Affected Versions phpCommunity version 2.1.8

Description The issue allows remote attackers to execute arbitrary SQL commands due to multiple SQL injection vulnerabilities when magic quotes gpc is disabled. This can be achieved via various parameters in different actions to index.php, including the forum id parameter in a forum action, the topic id parameter in a forum action, and the wert parameter in id, nick, or forum search actions. The vulnerable files are related to class forum.php and class search.php.

Recommendations For phpCommunity version 2.1.8, consider disabling the magic quotes gpc option or updating the configuration to prevent SQL injection attacks. As a temporary workaround, restrict access to the index.php file and its related actions, such as forum and search actions, until a patch is available. Avoid using the forum id, topic id, and wert parameters in the affected API endpoints until the issue is resolved.