oss-sec mailing list archives
Re: CVE Request -- OCS Inventory NG
From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 1 Sep 2009 15:41:10 -0400 (EDT)
On Mon, 17 Aug 2009, Jan Lieskovsky wrote:
a SQL injection by machine blacklisting was reported on 2009-08-11: http://seclists.org/fulldisclosure/2009/Aug/0143.html http://www.ocsinventory-ng.org/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=147&cntnt01returnid=15
CVE-2009-3042 is assigned for this specific issue. Note that CVE-2009-3040 was assigned for multiple older SQL injections that affected 1.02. - Steve ====================================================== Name: CVE-2009-3040 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3040 Reference: BUGTRAQ:20090530 OCS Inventory NG 1.02 - Multiple SQL Injections Reference: URL:http://www.securityfocus.com/archive/1/archive/1/503936/100/0/threaded Reference: MISC:http://www.leidecker.info/advisories/2009-05-30-ocs_inventory_ng_sql_injection.shtml Reference: CONFIRM:http://www.ocsinventory-ng.org/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=140&cntnt01returnid=72 Multiple SQL injection vulnerabilities in Open Computer and Software (OCS) Inventory NG 1.02 for Unix allow remote attackers to execute arbitrary SQL commands via the (1) N, (2) DL, (3) O and (4) V parameters to download.php and the (5) SYSTEMID parameter to group_show.php. ====================================================== Name: CVE-2009-3042 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3042 Reference: BUGTRAQ:20090811 Sql injection in OCS Inventory NG Server 1.2.1 Reference: URL:http://www.securityfocus.com/archive/1/archive/1/505675/100/0/threaded Reference: FULLDISC:20090811 Sql injection in OCS Inventory NG Server 1.2.1 Reference: URL:http://seclists.org/fulldisclosure/2009/Aug/0143.html Reference: MILW0RM:9416 Reference: URL:http://www.milw0rm.com/exploits/9416 Reference: CONFIRM:http://www.ocsinventory-ng.org/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=147&cntnt01returnid=15 Reference: SECUNIA:35311 Reference: URL:http://secunia.com/advisories/35311 SQL injection vulnerability in machine.php in Open Computer and Software (OCS) Inventory NG 1.02.1 allows remote attackers to execute arbitrary SQL commands via the systemid parameter, a different vector than CVE-2009-3040.
Current thread:
- CVE Request -- OCS Inventory NG Jan Lieskovsky (Aug 17)
- Re: CVE Request -- OCS Inventory NG Steven M. Christey (Sep 01)