CVE-2009-0646

Name of the Vulnerable Software and Affected Versions 4Site CMS versions 2.6 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters, including login and password to the "pcgi/4site.pl" endpoint, page to "print/print.shtml", s and i to "portfolio/index.shtml", h to "hotel/index.php", id to "news/news1.shtml", and th to "faq/index.shtml".

Recommendations For 4Site CMS versions 2.6 and earlier, update to a version later than 2.6 to resolve the issue. As a temporary workaround, consider restricting access to the affected endpoints, such as "pcgi/4site.pl", "print/print.shtml", "portfolio/index.shtml", "hotel/index.php", "news/news1.shtml", and "faq/index.shtml", until a patch is available. Avoid using the vulnerable parameters login, password, page, s, i, h, id, and th in the respective endpoints until the issue is resolved.