Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27435
HistoryDec 12, 2011 - 12:00 a.m.

DDIVRT-2011-38 KnowledgeTree login.php Blind SQL Injection

2011-12-1200:00:00
vulners.com
26
JSON

Title

DDIVRT-2011-38 KnowledgeTree login.php Blind SQL Injection

Severity

High

Date Discovered

November 18, 2011

Discovered By

Digital Defense, Inc. Vulnerability Research Team
Credit: sxkeebler and r@b13$

Vulnerability Description

The KnowledgeTree login.php login page is vulnerable to a blind SQL
injection vulnerability within the username field. An attacker can
leverage this flaw to execute arbitrary SQL commands and extract
sensitive information from the backend database using standard blind
SQL exploitation techniques. Additionally, an attacker may be able to
leverage this flaw to compromise the database server host OS.

Solution Description

KnowledgeTree has released a patch which addresses the issue. The new
source is available at:
http://wiki.knowledgetree.org/Security_advisory:_KnowledgeTree_login.php_Blind_SQL_Injection

Tested Systems / Software

KnowledgeTree Version 3.7.0.2 (community edition)

Vendor Contact

Vendor Name: KnowledgeTree, Inc.
Vendor Website: http://www.knowledgetree.com/

JSON