CVE-2012-5874 Information

Description

Multiple SQL injection vulnerabilities in the (1) update_whosonline_reg and (2) update_whosonline_guest functions in Elite Bulletin Board before 2.1.22 allow remote attackers to execute arbitrary SQL commands via the PATH_INFO to (a) checkuser.php (b) groups.php (c) index.php (d) login.php (e) quicklogin.php (f) register.php (g) Search.php (h) viewboard.php or (i) viewtopic.php.

Reference

http://archives.neohapsis.com/archives/bugtraq/2012-12/0114.html http://elite-board.us/Community/viewtopic.php?bid=1&tid=310 http://packetstormsecurity.com/files/118962/Elite-Bulletin-Board-2.1.21-SQL-Injection.html http://secunia.com/advisories/51622 http://www.exploit-db.com/exploits/23575 http://www.osvdb.org/88531 https://www.htbridge.com/advisory/HTB23133