Croconile

**Name of the Vulnerable Software and Affected Versions** QuickTicket versions 1.2 build:20070621 QuickTalk Forum versions 1.3 through 1.5.0.3 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters in different files, including `t` and `f` parameters in "qti ind post.php" and "qti ind post prt.php", `dir` and `order` parameters in "qti ind member.php", `id` parameter in "qti usr.php", and the `f` parameter in "qti ind topic.php". **Recommendations** For QuickTicket version 1.2 build:20070621, consider restricting access to the `qti ind post.php`, `qti ind post prt.php`, `qti ind member.php`, and `qti usr.php` files until a patch is available. For QuickTalk Forum versions 1.3 through 1.5.0.3, avoid using the `id` parameter in "qti usr.php" and the `f` parameter in "qti ind topic.php" until the issue is resolved. As a temporary workaround, consider disabling the execution of SQL commands via the `t`, `f`, `dir`, and `order` parameters in the affected files until a patch is available.