[原文]SQL injection vulnerability in addentry.php in Woltlab Burning Book 1.0 Gold, 1.1.1e, and possibly other versions, allows remote attackers to execute arbitrary SQL commands via the user-agent parameter.
WoltLab Burning Book addentry.php user-agent Parameter SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
Burning Book contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that user-supplied input upon submission to the 'addentry.php' script is not verified properly and will allow a remote attacker to inject or manipulate SQL queries.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.