CVE-2006-5829

AIOCP < 1.3.007 - SQL Injection via Multiple Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 12 public exploits for CVE-2006-5829. PoCs published by laurent gaffie.

AI-analyzed exploit summary The provided text describes a SQL injection vulnerability in All In One Control Panel (AIOCP) versions 1.3.007 and prior. The vulnerability arises from insufficient input sanitization, allowing attackers to manipulate the 'order_field' parameter in 'cp_users_online.php' to execute arbitrary SQL queries.

Description

Multiple SQL injection vulnerabilities in All In One Control Panel (AIOCP) 1.3.007 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) choosed_language parameter to (a) cp_dpage.php, (b) cp_news.php, (c) cp_forum_view.php, (d) cp_edit_user.php, (e) cp_newsletter.php, (f) cp_links.php, (g) cp_contact_us.php, (h) cp_login.php, and (i) cp_codice_fiscale.php in public/code/; (2) news_category parameter to public/code/cp_news.php; (3) nlmsg_nlcatid parameter to public/code/cp_newsletter.php; (4) links_category parameter to public/code/cp_links.php; (5) product_category_id parameter to public/code/cp_show_ec_products.php; (6) order_field parameter to public/code/cp_show_ec_products.php; (7) firstrow parameter to public/code/cp_users_online.php; and (8) orderdir parameter to public/code/cp_links_search.php.

Exploits (12)

exploitdb WRITEUP VERIFIED
by laurent gaffie · textwebappsphp
https://www.exploit-db.com/exploits/28932

The provided text describes a SQL injection vulnerability in All In One Control Panel (AIOCP) versions 1.3.007 and prior. The vulnerability arises from insufficient input sanitization, allowing attackers to manipulate the 'order_field' parameter in 'cp_users_online.php' to execute arbitrary SQL queries.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: All In One Control Panel (AIOCP) <= 1.3.007
No auth needed
Prerequisites: Access to the vulnerable endpoint · Knowledge of SQL injection techniques
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by laurent gaffie · textwebappsphp
https://www.exploit-db.com/exploits/28930

The provided text describes SQL injection vulnerabilities in All In One Control Panel (AIOCP) versions 1.3.007 and prior. It outlines vulnerable parameters in specific URLs but does not include executable exploit code.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: All In One Control Panel (AIOCP) <= 1.3.007
No auth needed
Prerequisites: Access to the vulnerable URL endpoints
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by laurent gaffie · textwebappsphp
https://www.exploit-db.com/exploits/28927

The provided text describes SQL injection vulnerabilities in All In One Control Panel (AIOCP) due to insufficient input sanitization. It includes example URLs demonstrating the vulnerable parameters but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: All In One Control Panel (AIOCP) 1.3.007 and prior
No auth needed
Prerequisites: Access to the vulnerable application URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by laurent gaffie · textwebappsphp
https://www.exploit-db.com/exploits/28924

The provided text describes SQL injection vulnerabilities in All In One Control Panel (AIOCP) due to insufficient input sanitization. It includes example URLs demonstrating the vulnerability but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: All In One Control Panel (AIOCP) 1.3.007 and prior
No auth needed
Prerequisites: Access to the vulnerable application URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by laurent gaffie · textwebappsphp
https://www.exploit-db.com/exploits/28931

The provided text describes a vulnerability in All In One Control Panel (AIOCP) versions 1.3.007 and prior, which is prone to input-validation vulnerabilities. The example URL demonstrates a potential SQL injection vector via the 'choosed_language' parameter.

Classification
Writeup 80%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: All In One Control Panel (AIOCP) <= 1.3.007
No auth needed
Prerequisites: Access to the target URL · Vulnerable version of AIOCP
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by laurent gaffie · textwebappsphp
https://www.exploit-db.com/exploits/28934

The provided text describes a SQL injection vulnerability in All In One Control Panel (AIOCP) versions 1.3.007 and prior. It highlights the lack of input sanitization, which could allow attackers to execute arbitrary SQL commands.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: All In One Control Panel (AIOCP) <= 1.3.007
No auth needed
Prerequisites: Access to the vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by laurent gaffie · textwebappsphp
https://www.exploit-db.com/exploits/28928

The provided text describes SQL injection vulnerabilities in All In One Control Panel (AIOCP) due to insufficient input sanitization. It includes example URLs demonstrating the vulnerable parameters but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: All In One Control Panel (AIOCP) 1.3.007 and prior
No auth needed
Prerequisites: Access to the vulnerable web application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by laurent gaffie · textwebappsphp
https://www.exploit-db.com/exploits/28925

The provided text describes a vulnerability in All In One Control Panel (AIOCP) versions 1.3.007 and prior, highlighting input-validation issues that could lead to SQL injection and other attacks. It includes a sample URL demonstrating the vulnerability but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: All In One Control Panel (AIOCP) 1.3.007 and prior
No auth needed
Prerequisites: Access to the vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by laurent gaffie · textwebappsphp
https://www.exploit-db.com/exploits/28926

The provided text describes a vulnerability in All In One Control Panel (AIOCP) versions 1.3.007 and prior, which is prone to input-validation vulnerabilities. The example URL demonstrates a potential SQL injection vector via the 'choosed_language' parameter.

Classification
Writeup 80%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: All In One Control Panel (AIOCP) 1.3.007 and prior
No auth needed
Prerequisites: Access to the vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by laurent gaffie · textwebappsphp
https://www.exploit-db.com/exploits/28923

The provided text describes a vulnerability in All In One Control Panel (AIOCP) versions 1.3.007 and prior, which is prone to input-validation vulnerabilities. The example URL demonstrates a potential SQL injection vector via the 'choosed_language' parameter.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: All In One Control Panel (AIOCP) 1.3.007 and prior
No auth needed
Prerequisites: Access to the vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by laurent gaffie · textwebappsphp
https://www.exploit-db.com/exploits/28929

The provided text describes a vulnerability in All In One Control Panel (AIOCP) versions 1.3.007 and prior, highlighting input-validation vulnerabilities that could lead to SQL injection, XSS, or other attacks. It includes a sample URL demonstrating the vulnerability but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: All In One Control Panel (AIOCP) <= 1.3.007
No auth needed
Prerequisites: Access to the vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by laurent gaffie · textwebappsphp
https://www.exploit-db.com/exploits/28933

The provided text describes a vulnerability in All In One Control Panel (AIOCP) versions 1.3.007 and prior, which is prone to input-validation vulnerabilities. The example URL demonstrates a potential SQL injection vector via the 'choosed_language' parameter.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: All In One Control Panel (AIOCP) 1.3.007 and prior
No auth needed
Prerequisites: Access to the vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4378
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/450701/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/30051
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/1839
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22719
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/20931

Scores

EPSS 0.0116
EPSS Percentile 63.0%

Details

CWE
CWE-89
Status published
Products (8)
aiocp/aiocp 1.3.000
aiocp/aiocp 1.3.001
aiocp/aiocp 1.3.002
aiocp/aiocp 1.3.003
aiocp/aiocp 1.3.004
aiocp/aiocp 1.3.005
aiocp/aiocp 1.3.006
aiocp/aiocp < 1.3.007
Published Nov 10, 2006
Tracked Since Feb 18, 2026