oss-sec mailing list archives
Re: CVE id request: cacti remote code execution and SQL injection
From: cve-assign () mitre org
Date: Sat, 16 Aug 2014 03:47:17 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
http://svn.cacti.net/viewvc?view=rev&revision=7454 https://bugzilla.redhat.com/show_bug.cgi?id=1127165
Since there is no check whether $size is actually a number, only that it starts with a number ... it's possible to insert commands by adding a ';' followed by any command.
Use CVE-2014-5261 for this issue involving shell metacharacters.
Incomplete and incorrect input parsing leads to ... SQL injection attack scenarios
Use CVE-2014-5262 for the SQL injection. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJT7wwXAAoJEKllVAevmvmszMsH/jCWZKh5R2ZO8T0WC1t/gN5R OjCyukw70QsOJtj/bYvHedMkKrkmGF3lpqKYV0vh6PZcc8tKiNNOQ1EK0pyqUyA3 fpPJzzb3tBvsr66lTUzicGb33L2ZXUSymbWOszaSDE4grt554KySkAe8dX+jztW7 Xk5aznEc4LBQZKG8TqK3i6bsA75aN8v/m0aXXh9QD1E0lYvR98tfBsGh6unAxZTR NJPR3ZUTE6VorlBm1ikoPFcmuuGiNM3kPxawm1rFpOa8Zy9WuTlKJkY26eYK8x30 pm/AchyANfDLLwlkKIf/aUncCGKIvhGGo4+GGt2QeaBI8zEhvKVmr9ZeHApE1K0= =x8CR -----END PGP SIGNATURE-----
Current thread:
- CVE id request: cacti remote code execution and SQL injection Nico Golde (Aug 12)
- Re: CVE id request: cacti remote code execution and SQL injection Murray McAllister (Aug 14)
- Re: CVE id request: cacti remote code execution and SQL injection Nico Golde (Aug 15)
- Re: CVE id request: cacti remote code execution and SQL injection cve-assign (Aug 16)
- Re: CVE id request: cacti remote code execution and SQL injection Murray McAllister (Aug 14)