VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 4, 2008· Updated Apr 23, 2026

CVE-2007-6667

CVE-2007-6667

Description

SQL injection in MyPHP Forum 3.0 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter in faq.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in MyPHP Forum 3.0 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter in faq.php.

Vulnerability

The faq.php script in MyPHP Forum 3.0 and earlier contains a SQL injection vulnerability in the id parameter. The parameter is directly interpolated into a SQL query without sanitization: SELECT * from $db_faq WHERE id='$id'. This code path is reachable when the action parameter is set to view and id is not empty. The vulnerability requires magic_quotes_gpc to be disabled on the server. The member.php vector is a separate issue covered by CVE-2005-0413 [1].

Exploitation

An unauthenticated attacker can exploit this by sending a crafted HTTP GET request to faq.php with action=view and a malicious id parameter. For example, the payload -1' union select 1,concat(username,0x3a,password),3 from {table_prefix}_member where uid=1/* extracts usernames and passwords from the _member table. The attacker must know or guess the table prefix (commonly nb_) [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands, leading to disclosure of sensitive data such as user credentials. This can result in full compromise of user accounts and potentially the entire forum database. The attacker gains read access to all tables, and could potentially modify or delete data depending on database permissions [1].

Mitigation

No official patch has been released for this vulnerability. The software appears to be end-of-life. As a workaround, enabling magic_quotes_gpc (though deprecated) may prevent injection, but proper input validation or parameterized queries are recommended. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].

References
  1. OffSec’s Exploit Database Archive

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Myphp Forum/Myphp Forum4 versions
    cpe:2.3:a:myphp:myphp_forum:*:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:a:myphp:myphp_forum:*:*:*:*:*:*:*:*range: <=3.0
    • cpe:2.3:a:myphp:myphp_forum:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:myphp:myphp_forum:2.0:*:*:*:*:*:*:*
    • (no CPE)range: <=3.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization on the `$id` parameter in `faq.php` allows SQL injection."

Attack vector

An attacker sends an HTTP GET request to `faq.php` with `action=view` and a crafted `id` parameter containing SQL metacharacters [ref_id=1]. The `$id` value is inserted directly into a SQL query without sanitization, allowing the attacker to break out of the string context and append a UNION SELECT to extract arbitrary data from the database [CWE-89]. The attack requires that PHP's `magic_quotes_gpc` setting is disabled on the server [ref_id=1].

Affected code

The vulnerable code is in `faq.php`. The `$id` variable is taken directly from `$_GET['id']` and interpolated into an SQL query without sanitization: `mysql_query("SELECT * from $db_faq WHERE id='$id'")` [ref_id=1]. The `member.php` vector is explicitly excluded from this CVE per the CVE description.

What the fix does

No patch is provided in the bundle. The advisory [ref_id=1] identifies the root cause as the lack of input validation on the `$id` variable in `faq.php`. The remediation would require escaping the `$id` value with a function like `mysql_real_escape_string()` before using it in the SQL query, or switching to parameterized queries to prevent SQL injection.

Preconditions

  • configPHP magic_quotes_gpc must be disabled on the server
  • networkAttacker must be able to send HTTP GET requests to the vulnerable faq.php endpoint
  • inputThe id parameter must be controllable by the attacker via the query string

Reproduction

1. Ensure the target server has `magic_quotes_gpc` disabled. 2. Send a request to the vulnerable endpoint: `http://Site/faq.php?action=view&id=-1'+union+select+1,concat(username,0x3a,password),3+from+{table_prefix}_member+where+uid=1/*` 3. The application will return the username and password hash of the first user in the response, demonstrating SQL injection [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.