CVE-2007-4956

Name of the Vulnerable Software and Affected Versions KwsPHP version 1.0

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the pseudo parameter to "login.php", the id parameter to "index.php" in a carnet editer action in the Member Space (espace membre) module, or the typenav parameter to "index.php" in a browser aff action in the stats module.

Recommendations For KwsPHP version 1.0, consider restricting access to the "login.php", "index.php" in the Member Space module, and "index.php" in the stats module to minimize the risk of exploitation. Avoid using the pseudo, id, and typenav parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.