[原文]** DISPUTED ** Multiple SQL injection vulnerabilities in OvBB 0.08a allow remote attackers to execute arbitrary SQL commands via the (1) threadid parameter to thread.php and (2) userid parameter to profile.php. NOTE: the vendor disputes these issues, saying "these reports are completely unsubstantial."
OvBB contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the thread.php script not properly sanitizing user-supplied input to the 'threadid' variable.
Followup research along with vendor dispute indicates this issue can not be used to manipulate SQL queries. It is believed that non-numeric input may cause an SQL error giving the appearance of injection capability.
The reported vulnerability has been determined to be incorrect. No solution is required.