CVE-2006-0444

Phpclanwebsite - SQL Injection

Title source: rule

Description

SQL injection vulnerability in index.php in Phpclanwebsite (aka PCW) 1.23.1 allows remote attackers to execute arbitrary SQL commands via the (1) par parameter in the post function on the forum page and possibly the (2) poll_id parameter on the poll page. NOTE: the poll_id vector can also allow resultant cross-site scripting (XSS) from an unquoted error message for invalid SQL syntax.

Exploits (1)

exploitdb WORKING POC VERIFIED

by matrix_killer · perlwebappsphp

https://www.exploit-db.com/exploits/1453

View Code ZIP pw:eip

References (8)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/423145/100/0/threaded

[Patch] http://www.securityfocus.com/bid/16391

[Exploit, Vendor Advisory] http://www.h4cky0u.org/advisories/HYSA-2006-002-phpclan.txt

[Third Party Advisory, VDB Entry] http://www.osvdb.org/22722

[Third Party Advisory, VDB Entry] http://www.osvdb.org/22720

[Third Party Advisory] http://www.vupen.com/english/advisories/2006/0342

[Patch, Vendor Advisory] http://secunia.com/advisories/18597

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/24355

Scores

EPSS 0.0145

EPSS Percentile 80.9%

Details

Status published

Products (1)

phpclanwebsite/phpclanwebsite 1.23.1

Published Jan 26, 2006

Tracked Since Feb 18, 2026