[原文]Multiple SQL injection vulnerabilities in akocomment.php in AkoComment 2.0 module for Mambo, with magic_quotes_gpc disabled, allow remote attackers to execute arbitrary SQL commands via the (1) acname or (2) contentid parameter.
Ako Comments for Mambo akocomment.php Multiple Field SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
AkoComment contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the akocomment.php script not properly sanitizing user-supplied input to the "acname" and "contentid" variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.