The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter.
https://exchange.xforce.ibmcloud.com/vulnerabilities/24051
http://www.xaraya.com/index.php/news/569
http://www.vupen.com/english/advisories/2006/1419
http://www.vupen.com/english/advisories/2006/1305
http://www.vupen.com/english/advisories/2006/1304
http://www.vupen.com/english/advisories/2006/0447
http://www.vupen.com/english/advisories/2006/0370
http://www.vupen.com/english/advisories/2006/0105
http://www.vupen.com/english/advisories/2006/0104
http://www.vupen.com/english/advisories/2006/0103
http://www.vupen.com/english/advisories/2006/0102
http://www.vupen.com/english/advisories/2006/0101
http://www.securityfocus.com/archive/1/466171/100/0/threaded
http://www.securityfocus.com/archive/1/430448/100/0/threaded
http://www.securityfocus.com/archive/1/423784/100/0/threaded
http://www.maxdev.com/Article550.phtml
http://www.gentoo.org/security/en/glsa/glsa-200604-07.xml
http://www.debian.org/security/2006/dsa-1031
http://www.debian.org/security/2006/dsa-1030
http://www.debian.org/security/2006/dsa-1029
http://securityreason.com/securityalert/713
http://secunia.com/advisories/24954
http://secunia.com/advisories/19699
http://secunia.com/advisories/19691
http://secunia.com/advisories/19600
http://secunia.com/advisories/19591
http://secunia.com/advisories/19590
http://secunia.com/advisories/19563
http://secunia.com/advisories/19555
http://secunia.com/advisories/18720
http://secunia.com/advisories/18276
http://secunia.com/advisories/18267
http://secunia.com/advisories/18260