CVE-2010-1109

Name of the Vulnerable Software and Affected Versions phpMySport version 1.4

Description The issue allows remote attackers to execute arbitrary SQL commands due to multiple SQL injection vulnerabilities in index.php. This occurs when magic quotes gpc is disabled, and attackers can exploit the vulnerability via various parameters in different actions, including the v2 parameter in member view, team view, club view, and matches view actions, as well as the v1 parameter in news and information actions.

Recommendations For phpMySport version 1.4, consider disabling the affected parameters, such as v1 and v2, in the respective actions until a patch is available. Additionally, enabling magic quotes gpc can help mitigate the risk of SQL injection attacks. However, as a more permanent solution, updating the input validation and sanitization in index.php to prevent SQL injection is necessary. At the moment, there is no information about a newer version that contains a fix for this vulnerability.