Bug#531735: SA35311: OCS Inventory NG systemid SQL Injection Vulnerability
On Wednesday 17 June 2009 05:27:49 James Andrewartha wrote: Pierre, The bug in download.php is still there in lenny, why did you close the bug? Hi James, I closed the bug because the advisory [1] stated 1.02 while Lenny version is 1.01. Additionally, this injection does not work here: http://xxx.xxx.xxx.xxx/ocsreports/download.php?n=1dl=2o=3v=4%27union+all+select+concat(id, %27:%27,passwd)+from+operators%23 And returns an empty file. However, I agree this needs further investigation to check if 1.01 is vulnerable too. Do you have some working example ? I'll check on my side if the code is similar in 1.01 and 1.02 Cheers, Pierre [1] http://archives.neohapsis.com/archives/bugtraq/2009-06/0009.html -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#531735: SA35311: OCS Inventory NG systemid SQL Injection Vulnerability
On Wed, 17 Jun 2009, Pierre Chifflier wrote: On Wednesday 17 June 2009 05:27:49 James Andrewartha wrote: Pierre, The bug in download.php is still there in lenny, why did you close the bug? Hi James, I closed the bug because the advisory [1] stated 1.02 while Lenny version is 1.01. Additionally, this injection does not work here: http://xxx.xxx.xxx.xxx/ocsreports/download.php?n=1dl=2o=3v=4%27union+all+select+concat(id, %27:%27,passwd)+from+operators%23 And returns an empty file. However, I agree this needs further investigation to check if 1.01 is vulnerable too. Do you have some working example ? I'll check on my side if the code is similar in 1.01 and 1.02 magic_quotes in php.ini protects against this attack, but if I turn it off it works. -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of -- Bill Gates, 1980 ]\ nuts. -- Acid Reflux #231 / -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#531735: SA35311: OCS Inventory NG systemid SQL Injection Vulnerability
Hi Pierre, Pierre Chifflier ha scritto: I closed the bug because the advisory [1] stated 1.02 while Lenny version is 1.01. This doesn't imply that 1.01 isn't affected. Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#531735: SA35311: OCS Inventory NG systemid SQL Injection Vulnerability
On Wednesday 17 June 2009 15:25:57 Giuseppe Iuculano wrote: Hi Pierre, Pierre Chifflier ha scritto: I closed the bug because the advisory [1] stated 1.02 while Lenny version is 1.01. This doesn't imply that 1.01 isn't affected. I fully agree, but you should quote correctly : --8- Additionally, this injection does not work here: http://xxx.xxx.xxx.xxx/ocsreports/download.php?n=1dl=2o=3v=4%27union+all+select+concat(id, %27:%27,passwd)+from+operators%23 --8- Apparently, the default Lenny install is not vulnerable (due to magic_quotes on or something like that). I'm looking to backport the fix in 1.01 anyway. BR, Pierre -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#531735: SA35311: OCS Inventory NG systemid SQL Injection Vulnerability
Pierre Chifflier ha scritto: I fully agree, but you should quote correctly : --8- Additionally, this injection does not work here: http://xxx.xxx.xxx.xxx/ocsreports/download.php?n=1dl=2o=3v=4%27union+all+select+concat(id, %27:%27,passwd)+from+operators%23 --8- Apparently, the default Lenny install is not vulnerable (due to magic_quotes on or something like that). I'm looking to backport the fix in 1.01 anyway. I didn't check it, but if is true this vulnerability can be exploited only if magic_quotes is off and severity of this issue could be decreased. Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#531735: SA35311: OCS Inventory NG systemid SQL Injection Vulnerability
Pierre, The bug in download.php is still there in lenny, why did you close the bug? -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of -- Bill Gates, 1980 ]\ nuts. -- Acid Reflux #231 / -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#531735: SA35311: OCS Inventory NG systemid SQL Injection Vulnerability
Package: ocsinventory-server Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, The following SA (Secunia Advisory) id was published for OCS Inventory NG: SA35311[0]: Description: Nico Leidecker has discovered a vulnerability in OCS Inventory NG, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the systemid parameter in group_show.php is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability is confirmed in version 1.02.1. Other versions may also be affected. If you fix the vulnerability please also make sure to include the CVE id (if will be available) in the changelog entry. [0]http://secunia.com/advisories/35311/ http://archives.neohapsis.com/archives/bugtraq/2009-06/0009.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkomqRMACgkQNxpp46476aoYVwCgmN0vbbDxla23o2jNJ68eOVHB yhAAnRaoQCIGLVDmO4VvwMCp0h11Dj7d =bXC2 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#531735: SA35311: OCS Inventory NG systemid SQL Injection Vulnerability
fixed 531735 1.02.1-1 tags 531735 lenny patch thanks Giuseppe Iuculano ha scritto: The vulnerability is confirmed in version 1.02.1. Other versions may also be affected. This was wrong, 1.02.1 is not vulnerable. Patch: http://ocsinventory.svn.sourceforge.net/viewvc/ocsinventory?view=revrevision=1625 Cheers, Giuseppe signature.asc Description: OpenPGP digital signature