SQL injection vulnerability in hotel_tiempolibre_ext.php in Venalsur Booking Centre Booking System for Hotels Group, when magic_quotes_gpc is enabled, allows remote attackers to execute arbitrary SQL commands via the NoticiaID parameter and other unspecified vectors.
http://www.vupen.com/english/advisories/2009/3538
http://www.securityfocus.com/archive/1/508429/100/0/threaded