CVE-2006-2731

Name of the Vulnerable Software and Affected Versions Enigma Haber versions 4.3 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters in different files, including the id parameter in files such as e mesaj yas.asp, edi haber.asp, and haber devam.asp, the hid parameter in files like yazdir.asp and yorum.asp, and the e parameter in arsiv.asp. With administrator credentials, additional vectors exist, including the yid parameter to admin/y admin.asp, the bid parameter to admin/reklam detay.asp, the hid parameter to admin/detay yorum.asp and admin/haber sil.asp, the kid parameter to admin/kategori d.asp, the tur parameter to admin/haber ekle.asp, the s parameter to admin/e mesaj yaz.asp, and the id parameter to admin/admin sil.asp.

Recommendations For Enigma Haber versions 4.3 and earlier, consider disabling the SQL execution functionality until a patch is available. Restrict access to the vulnerable parameters, such as id, hid, e, yid, bid, kid, tur, and s, in the respective files to minimize the risk of exploitation. Avoid using these parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.