CVE-2006-5829

Name of the Vulnerable Software and Affected Versions: All In One Control Panel (AIOCP) versions 1.3.007 and earlier

Description: The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters to various PHP files, including the choosed language parameter to files such as 'cp dpage.php', 'cp news.php', 'cp forum view.php', 'cp edit user.php', 'cp newsletter.php', 'cp links.php', 'cp contact us.php', 'cp login.php', and 'cp codice fiscale.php'; the news category parameter to 'cp news.php'; the nlmsg nlcatid parameter to 'cp newsletter.php'; the links category parameter to 'cp links.php'; the product category id parameter to 'cp show ec products.php'; the order field parameter to 'cp show ec products.php'; the firstrow parameter to 'cp users online.php'; and the orderdir parameter to 'cp links search.php'.

Recommendations: For All In One Control Panel (AIOCP) versions 1.3.007 and earlier, consider disabling the vulnerable parameters, such as choosed language, news category, nlmsg nlcatid, links category, product category id, order field, firstrow, and orderdir, in their respective PHP files until a patch is available. Restrict access to the affected PHP files in public/code/ to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.