CVE-2006-1289 Information

Description

Multiple SQL injection vulnerabilities in Milkeyway Captive Portal 0.1 and 0.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) username (2) password (3) team (4) level (5) status (6) teamname and (7) teamlead parameters in (a) auth.php; the (8) username (9) action and (10) filter parameters in (b) authuser.php; the (11) username parameter in (c) utils.php; the (12) id and (13) date parameters in (d) traffic.php; the (14) username parameter in (e) userstatistics.php; and the (15) USERNAME and (16) PASSWORD parameters in a cookie to (f) chgpwd.php.

Reference

http://secunia.com/advisories/19258 http://securitytracker.com/id?1015778 http://www.osvdb.org/23925 http://www.osvdb.org/23927 http://www.osvdb.org/23928 http://www.osvdb.org/23929 http://www.osvdb.org/23931 http://www.securityfocus.com/archive/1/427890/100/0/threaded http://www.securityfocus.com/bid/17127 http://www.ush.it/team/ascii/hack-milkeway/advisory.txt http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt http://www.vupen.com/english/advisories/2006/0968 https://exchange.xforce.ibmcloud.com/vulnerabilities/25281 https://exchange.xforce.ibmcloud.com/vulnerabilities/25287