Topic: Potential SQL Injection Vulnerability in versions 2.9-0.7 and before
There appear to be SQL Injection vulnerabilities in FreeRealty 2.9-0.7 and earlier. User input is not properly validated or sanitized allowing a remote user to login without a valid user name and password.
The effects appear to be mitigated by additional checks within the script that recheck the user data.
There are currently no known exploits and no sites have been compromised that I am aware of.
Fixes are in the works and users are highly encouraged to upgrade as soon as the patch is released.
Lead developer FreeRealty
Other claims to fame: http://www.rwcinc.net
Enrolled Agent, Licensed to Represent Taxpayers before Exams, Appeals and Conference divisions of the Internal Revenue Service.