CVE-2006-5228
Description
SQL injection in ackerTodo login.php allows remote attackers to execute arbitrary SQL commands via up_login, up_pass, or up_num_tasks parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in ackerTodo login.php allows remote attackers to execute arbitrary SQL commands via up_login, up_pass, or up_num_tasks parameters.
Vulnerability
The login.php script in the gadget/ directory of ackerTodo version 4.2 and earlier contains multiple SQL injection vulnerabilities. The parameters up_login, up_pass, and up_num_tasks are not sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands. [1]
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP POST request to gadget/login.php with malicious SQL in any of the three parameters. No authentication is required as the login page is publicly accessible. The attacker only needs network access to the web server.
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands against the underlying database. This can lead to unauthorized access to user credentials, modification of todo lists, or complete compromise of the application's data.
Mitigation
The vulnerability was fixed in CVS revision 1.4 of login.php [2]. Users should upgrade to a version later than 4.2 or apply the patch from the CVS repository. No official release with the fix is mentioned in the references.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3cpe:2.3:a:rob_hensley:ackertodo:4.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:rob_hensley:ackertodo:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:rob_hensley:ackertodo:4.2:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- ackertodo.cvs.sourceforge.net/ackertodo/ackertodo/src/gadget/login.phpnvdPatch
- ackertodo.cvs.sourceforge.net/ackertodo/ackertodo/src/gadget/login.phpnvdPatch
- www.securityfocus.com/bid/20372nvdExploit
- secunia.com/advisories/22254nvdVendor Advisory
- securityreason.com/securityalert/1703nvd
- securitytracker.com/idnvd
- www.osvdb.org/29552nvd
- www.securityfocus.com/archive/1/447846/100/0/threadednvd
- www.vupen.com/english/advisories/2006/3951nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/29375nvd
News mentions
0No linked articles in our index yet.