[原文]SQL injection vulnerability in post.php for MercuryBoard 1.1.1 allows remote attackers to execute arbitrary SQL commands via a reply post action for index.php with (1) the t parameter or (2) the qu parameter.
# little late posting this /str0ke
# milw0rm.com [2005-02-12]
MercuryBoard contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the 't' and 'qu' variable in the post.php script is not verified properly and will allow an attacker to inject or manipulate SQL queries.
Upgrade to version 1.1.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.