[原文]Multiple SQL injection vulnerabilities in Help Center Live allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to index.php, (2) tid parameter to view.php, fid parameter to (3) download.php or (4) chat_download.php, (5) status parameter to icon.php, TICKET_tid parameter to (6) index.php or (7) view.php.
Help Center Live faq/index.php id Parameter SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
Help Center Live contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the 'id' variable in the faq/index.php script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.
Currently, there are no known workarounds or upgrades to correct this issue. However, Michael Bird has released a patch to address this vulnerability.