Software Engineering Institute

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

PHP Address Book 8.2.5 and possibly older versions fail to sanitize input from multiple functions.
http://www.example.com/addressbook/register/checklogin.php?username={insert}&password=pass
http://www.example.com/addressbook/register/admin_index.php?q={insert}
http://www.example.com/addressbook/register/delete_user.php?id={insert}
http://www.example.com/addressbook/register/edit_user.php?id={insert}

Additional information on vulnerable functions can be found at Acadion Security advisory.

A remote unauthenticated attacker may be able to run a subset of SQL commands against the back-end database.

We are currently unaware of a practical solution to this problem.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent SQLi attacks since the attack comes as an SQL request from a legitimate user's host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.