Bitweaver · Bitweaver · CVE-2005-4380
**Name of the Vulnerable Software and Affected Versions**
Bitweaver versions 1.1 through 1.1.1 beta
**Description**
The issue allows remote attackers to execute arbitrary SQL commands due to multiple SQL injection vulnerabilities. This is possible via several parameters, including the `sort mode` parameter to endpoints such as "fisheye/list galleries.php", "messages/message box.php", and "users/my.php"; the `post id` parameter to "blogs/view post.php"; and the `blog id` parameter to "blogs/view.php". These parameters are not properly cleansed by the `convert sortmode` function in "kernel/BitDb.php".
**Recommendations**
For Bitweaver versions 1.1 through 1.1.1 beta, consider disabling the `convert sortmode` function in "kernel/BitDb.php" until a patch is available to properly cleanse the `sort mode`, `post id`, and `blog id` parameters. Restrict access to the affected endpoints, including "fisheye/list galleries.php", "messages/message box.php", "users/my.php", "blogs/view post.php", and "blogs/view.php", to minimize the risk of exploitation. Avoid using the `sort mode`, `post id`, and `blog id` parameters in the affected API endpoints until the issue is resolved.