[原文]Multiple SQL injection vulnerabilities in BK Forum 4.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to member.asp, (2) forum parameter to forum.asp, or (3) various parameters in register.asp.
# BK Forum <= 4.0 Remote SQL Injection
# by n0m3rcy
# Copyright (c) 2006 n0m3rcy <email@example.com>
First you must be logged in
Then type this in your browser
You will find admin's password
nukedx , nukedx , nukedx :) , cijfer , str0ke , Devil-00
# Have phun!
# milw0rm.com [2006-04-24]
BK Forum contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the 'id' variable in the member.asp script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.