[原文]SQL injection vulnerability in DotNetNuke (formerly IBuySpy Workshop) 1.0.6 through 1.0.10d allows remote attackers to modify the backend database via the (1) table and (2) field parameters in LinkClick.aspx.
The vendor has released fixes to address this issue. Users are advised to download either DotNetNuke 1.0.10e - FULL (for those who are installing DotNetNuke for the first time or are running a version prior to 1.0.10d) or DotNetNuke 1.0.10e - PATCH (or those who are already running DotNetNuke 1.0.10d) from the vendor site.
DotNetNuke LinkClick.aspx Multiple Field SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity,
Loss of Availability
DotNetNuke contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that "table" and "field" variable in the "LinkClick.aspx" module is not verified properly and will allow an attacker to inject or manipulate SQL queries.
Upgrade to version 1.0.10e or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.