PT-2006-1226 · Cacti+9 · Cacti+9
Andreas Sandblad
·
Published
2006-01-09
·
Updated
2024-02-14
·
CVE-2006-0146
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
ADODB versions prior to 4.70
Mantis versions prior to 1.1.0a
PostNuke versions prior to 0.764
Moodle versions prior to 1.5.3
Cacti versions prior to 0.8.6i
Xaraya versions prior to 0.98
PHPOpenChat versions prior to 1.0.6
MAXdev MD-Pro versions prior to 1.12
MediaBeez versions prior to 0.9.1
Description
The issue allows remote attackers to execute arbitrary SQL commands when the MySQL root password is empty. This is possible through the
sql parameter in the server.php test script.Recommendations
For ADODB versions prior to 4.70, update to version 4.70 or later.
For Mantis versions prior to 1.1.0a, update to version 1.1.0a or later.
For PostNuke versions prior to 0.764, update to version 0.764 or later.
For Moodle versions prior to 1.5.3, update to version 1.5.3 or later.
For Cacti versions prior to 0.8.6i, update to version 0.8.6i or later.
For Xaraya versions prior to 0.98, update to version 0.98 or later.
For PHPOpenChat versions prior to 1.0.6, update to version 1.0.6 or later.
For MAXdev MD-Pro versions prior to 1.12, update to version 1.12 or later.
For MediaBeez versions prior to 0.9.1, update to version 0.9.1 or later.
Exploit
Fix
RCE
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Adodb
Cacti
Maxdev Md-Pro
Mantis
Mediabeez
Moodle
Mysql Server
Phpopenchat
Postnuke
Xaraya