CVE-2006-1289

Name of the Vulnerable Software and Affected Versions Milkeyway Captive Portal versions 0.1 through 0.1.1

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via various parameters in different PHP files, including username, password, team, level, status, teamname, teamlead, action, filter, id, date, USERNAME, and PASSWORD. The affected files are auth.php, authuser.php, utils.php, traffic.php, userstatistics.php, and chgpwd.php.

Recommendations For Milkeyway Captive Portal versions 0.1 through 0.1.1, consider disabling the SQL execution functionality in the affected PHP files until a patch is available. Restrict access to the vulnerable parameters to minimize the risk of exploitation. Avoid using the parameters username, password, team, level, status, teamname, teamlead, action, filter, id, date, USERNAME, and PASSWORD in the affected API endpoints until the issue is resolved.