[原文]Multiple SQL injection vulnerabilities in Class-1 Forum 0.24.4 and 0.23.2, and Clever Copy with forums installed, allow remote attackers to modify SQL statements via the (1) id parameter to viewattach.php, (2) viewuser_id parameter to users.php, or the (3) id or (4) forum parameter to viewforum.php.
class-1 Forum viewattach.php id Parameter SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
class-1 Forum contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'viewattach.php' script not properly sanitizing user-supplied input to the 'id' variable. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.