CVE-2013-0135

Name of the Vulnerable Software and Affected Versions PHP Address Book version 8.2.5

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via various parameters to different PHP files, including the id parameter to "/addressbook/register/delete user.php", "/addressbook/register/edit user.php", or "/addressbook/register/edit user save.php"; the email parameter to "/addressbook/register/edit user save.php", "/addressbook/register/reset password.php", "/addressbook/register/reset password save.php", or "/addressbook/register/user add save.php"; the username parameter to "/addressbook/register/checklogin.php" or "/addressbook/register/reset password save.php"; the lastname, firstname, phone, permissions, or notes parameter to "/addressbook/register/edit user save.php"; the q parameter to "/addressbook/register/admin index.php"; the site parameter to "/addressbook/register/linktick.php"; the password parameter to "/addressbook/register/reset password.php"; the password hint parameter to "/addressbook/register/reset password save.php"; the var parameter to "/addressbook/register/traffic.php"; or a BasicLogin cookie to "/addressbook/register/router.php".

Recommendations For PHP Address Book version 8.2.5, consider disabling the vulnerable parameters and API endpoints until a patch is available. Restrict access to the affected PHP files to minimize the risk of exploitation. Avoid using the specified parameters in the affected API endpoints until the issue is resolved. As a temporary workaround, consider implementing input validation and sanitization for the id, email, username, lastname, firstname, phone, permissions, notes, q, site, password, password hint, and var parameters, as well as for the BasicLogin cookie.