Multiple SQL injection vulnerabilities in OneCMS 2.4, and possibly earlier, allow remote attackers to execute arbitrary SQL commands via the (1) username parameter ($usernameb variable) to a_login.php or (2) user parameter to staff.php.
https://www.exploit-db.com/exploits/4857
https://exchange.xforce.ibmcloud.com/vulnerabilities/39482
http://www.vupen.com/english/advisories/2008/0081
http://www.securityfocus.com/archive/1/487136/100/200/threaded
http://www.securityfocus.com/archive/1/485837/100/200/threaded