SQL injection vulnerability in install.php in mcRefer allows remote attackers to execute arbitrary SQL commands via unspecified vectors. NOTE: this issue has been disputed by a third party, stating that the file does not use a SQL database
http://www.securityfocus.com/bid/22507
http://www.securityfocus.com/archive/1/459796/100/200/threaded
http://www.securityfocus.com/archive/1/459649/100/0/threaded