[原文]SQL injection vulnerability in iWebNegar allows remote attackers to execute arbitrary SQL commands via (1) the string parameter for index.php, (2) comments.php, or (3) the administrator login page.
iWebNegar is reported prone to multiple SQL injection vulnerabilities, these issues exist due to a lack of sufficient boundary checks performed on user-supplied URI parameter data.
These issues could theoretically be exploited to compromise the software by performing unauthorized actions on the database, such as modifying or viewing data. SQL injection attacks may also be used to exploit latent vulnerabilities in the underlying database. This may depend on the nature of the query being manipulated as well as the capabilities of the database implementation.
http://www.example.com/weblog/index.php?string=[sql injection code]
iWebNegar contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'string' parameter in the 'index.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.