[原文]SQL injection vulnerability in mstrack.php in MusOX DF MSAnalysis (DFMSA), as used in some environments that use CPG-Nuke Dragonfly CMS, allows remote attackers to trigger path disclosure from a SQL syntax error, and possibly execute arbitrary SQL commands, via certain query data, probably involving the profile name.
The MSAnalysis module for CPG Dragonfly CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'profile' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
Additionally, if a failed SQL query is made, the program will disclose the full installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.