CVE-2008-0371

Name of the Vulnerable Software and Affected Versions aliTalk version 1.9.1.1

Description The issue allows remote authenticated users and attackers to execute arbitrary SQL commands. This can be achieved via several parameters, including the mohit parameter to "inc/receivertwo.php", the id parameter to "inc/usercp.php", and the username parameter to "admin/index.php" or "index.php". The vulnerability is related to functions in "functionz/usercp.php" and "functionz/first process.php".

Recommendations For aliTalk version 1.9.1.1, consider disabling the mohit, id, and username parameters in the respective API endpoints until a patch is available. Restrict access to the "inc/receivertwo.php", "inc/usercp.php", "admin/index.php", and "index.php" files to minimize the risk of exploitation. Additionally, enabling magic quotes gpc can help mitigate the issue.