CVE-2009-4791 Information

Description

Multiple SQL injection vulnerabilities in Family Connections (aka FCMS) before 1.8.2 allow remote attackers to execute arbitrary SQL commands via the (1) letter parameter to addressbook.php (2) id parameter to recipes.php (3) year parameter to register.php (4) poll_id parameter to home.php and (5) email parameter to lostpw.php.

Reference

http://secunia.com/advisories/34503 http://sourceforge.net/project/shownotes.php?release_id=672266 http://sourceforge.net/tracker/?func=detail&aid=2722736&group_id=189733&atid=930513 http://www.exploit-db.com/exploits/8319 http://www.familycms.com/blog/2009/03/fcms-182-released/ http://www.securityfocus.com/archive/1/502272/100/0/threaded http://www.securityfocus.com/bid/34297