CVE-2006-3249

Name of the Vulnerable Software and Affected Versions Phorum versions 5.1.14 and earlier

Description A SQL injection issue in the search.php file allows remote attackers to potentially execute arbitrary SQL commands via the page parameter. However, the vendor disputes this report, stating that using a non-positive integer or non-integer for the page parameter causes the query to break due to a negative number in the LIMIT clause, but it is not a SQL injection error. The original report comes from a researcher with mixed accuracy, and as of the given date, there is no additional information regarding this issue.

Recommendations For Phorum versions 5.1.14 and earlier, consider validating and sanitizing the page parameter to prevent potential SQL injection attacks. As a temporary workaround, restrict the page parameter to only accept positive integers to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.