CVE-2006-1638

Name of the Vulnerable Software and Affected Versions: aWebBB version 1.2

Description: The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters, including the Username parameter to various PHP files such as 'accounts.php', 'changep.php', 'editac.php', 'feedback.php', 'fpass.php', 'login.php', 'post.php', 'reply.php', or 'reply log.php'. Additionally, the p parameter to 'dpost.php', the c parameter to 'list.php' or 'ndis.php', and the q parameter to 'search.php' are also vulnerable.

Recommendations: For aWebBB version 1.2, as a temporary workaround, consider restricting access to the vulnerable API endpoints, such as 'accounts.php', 'changep.php', 'editac.php', 'feedback.php', 'fpass.php', 'login.php', 'post.php', 'reply.php', 'reply log.php', 'dpost.php', 'list.php', 'ndis.php', and 'search.php', until a patch is available. Avoid using the Username, p, c, and q parameters in the affected endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.