Информационная безопасность
[RU] switch to English

Дополнительная информация

  Ежедневная сводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  MULTIPLE SQL INJECTION VULNERABILITIES -- Online Grades & Attendance v-3.2.6 -->

  (Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades & Attendance v-3.2.6-->

  SQL Injection vulnerability in myPHPNuke

From:Nico Leidecker <nico_(at)_leidecker.info>
Date:1 июня 2009 г.
Subject:OCS Inventory NG 1.02 - Multiple SQL Injections

OCS Inventory NG - Multiple SQL Injections (May 30 2009)

* Product

 Open Computer and Software (OCS) Inventory NG

* Vulnerable Versions

 OCS Inventory NG 1.02 (Unix)

* Vendor Status

 Vendor has been notified and the vulnerability has been fixed.

* Details

 The Open Computer and Software (OCS) Inventory Next Generation (NG)
provides relevant inventory information about system configurations and
software on the network. The server can be managed using a web
interface. It was found that the application does not properly sanitize
user input which results into multiple SQL injections.

 Affected are the following scripts:

 - download.php (parameters `N', `DL', `O' and `V')
 - group_show.php (parameter `SYSTEMID');

* Impact

 Attackers may be able to manipulate SQL statements in such a way that
they can retrieve, create or modify information stored in the database.
Furthermore, the SQL injection might allow attackers to get a foothold
on the underlying system.

* Exploit

 The vulnerability can be exploited by just using a web browser:



Nico Leidecker - http://www.leidecker.info

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород