Bug#539452: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)

Ansgar Burchardt Fri, 31 Jul 2009 18:57:56 -0700

Package: gnudip
Version: 2.1.1-4.1
Severity: grave
Tags: security
Justification: user security hole


Hi,

gnudip's web interface is vulnerable to SQL injections.  If one changes
the email address to something like

    t...@example.com", level="ADMIN

one gets administrator permissions.  The server script gdips.pl also
looks prone to SQL injection attacks.

Regards,
Ansgar



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#539452: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)

Reply via email to