Multiple SQL injection vulnerabilities in Loki download manager 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) password field to default.asp or (2) cat parameter to catinfo.asp.
http://www.securityfocus.com/bid/13900
http://www.securityfocus.com/bid/13898
http://securitytracker.com/id?1014147