CVE-2007-0354
Description
SQL injection vulnerability in email.php in MGB OpenSource Guestbook 0.5.4.5 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in email.php of MGB OpenSource Guestbook 0.5.4.5 and earlier allows attackers to extract admin credentials.
Vulnerability
A SQL injection vulnerability exists in email.php of MGB OpenSource Guestbook version 0.5.4.5 and earlier [1][2]. The id parameter is directly concatenated into a SQL query without sanitization: $sql="SELECT email, name FROM $db[entrys] WHERE id=".$_GET[id]." ORDER BY ID DESC" [2]. Version 0.5.4.6 addressed the issue by wrapping the parameter with htmlspecialchars(stripslashes(strip_tags(trim(...)))) and enclosing it in quotes [2].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP GET request to email.php with a malicious id parameter [1]. The exploit script from [1] demonstrates a UNION-based injection: id=1%20UNION%20SELECT%20null,passwort%20FROM%20mgb_settings%20--. No authentication is required; the attacker only needs network access to the target server and knowledge of the guestbook path [1].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands, enabling extraction of sensitive data. The example in [1] retrieves the administrator password hash from the mgb_settings table. With this hash, the attacker can log in to the admin panel via admin.php and achieve full administrative access [1].
Mitigation
The vendor released version 0.5.4.6 on January 18, 2007, which fixed the vulnerability by sanitizing and quoting the id parameter [2]. Users should upgrade to MGB 0.5.4.6 or later. No workarounds are documented; disabling email.php or restricting access via web server rules may serve as a temporary measure [2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2cpe:2.3:a:mgb:opensource_guestbook:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mgb:opensource_guestbook:*:*:*:*:*:*:*:*range: <=0.5.4.5
- (no CPE)range: <=0.5.4.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Direct concatenation of the unsanitized `$_GET[id]` parameter into an SQL query in email.php allows SQL injection."
Attack vector
An unauthenticated remote attacker sends a crafted HTTP request to `email.php` with a malicious `id` parameter. Because the original code directly interpolates `$_GET[id]` into the SQL query without sanitization, the attacker can inject arbitrary SQL commands [ref_id=1]. The advisory notes that the vendor acknowledged the issue and released version 0.5.4.6 to close the gap [ref_id=1].
Affected code
The vulnerable code is in `email.php` of MGB OpenSource Guestbook. The original line constructs an SQL query by directly concatenating the unsanitized `$_GET[id]` parameter: `$sql="SELECT email, name FROM $db[entrys] WHERE id=".$_GET[id]." ORDER BY ID DESC"` [ref_id=1]. The fix wraps the input with `htmlspecialchars(stripslashes(strip_tags(trim($_GET[id]))), ENT_QUOTES)` and uses the cleansed variable `$getid` inside single quotes with a `LIMIT 1` clause [ref_id=1].
What the fix does
The patch in version 0.5.4.6 replaces the direct use of `$_GET[id]` in the SQL query with a sanitized variable `$getid`, which is processed through `htmlspecialchars`, `stripslashes`, `strip_tags`, and `trim` [ref_id=1]. The new query also wraps the value in single quotes and adds `LIMIT 1`, preventing SQL injection by ensuring the input is treated as a string literal rather than executable SQL syntax [ref_id=1]. The vendor stated they eliminated the security gap that allowed the hacker attacks [ref_id=1].
Preconditions
- networkThe attacker must be able to send HTTP requests to the vulnerable email.php script.
- authNo authentication is required; the vulnerability is remotely exploitable.
- inputThe attacker supplies a crafted 'id' parameter in the query string.
Reproduction
The public exploit reference at http://www.securityfocus.com/bid/22094 and the milw0rm exploit (ref: http://www.milw0rm.com/exploits/3141) confirm the vulnerability is remotely exploitable by sending a malicious `id` parameter to `email.php` [ref_id=1]. No further reproduction steps are documented in the provided bundle.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- www.securityfocus.com/bid/22094nvdExploit
- www.tv-kritik.net/mgb/index.phpnvdURL Repurposed
- osvdb.org/31612nvd
- secunia.com/advisories/23825nvd
- www.attrition.org/pipermail/vim/2007-January/001246.htmlnvd
- www.vupen.com/english/advisories/2007/0232nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/31551nvd
- www.exploit-db.com/exploits/3141nvd
News mentions
0No linked articles in our index yet.