[VIM] SQL injection (x2) in NukeSentinel
Heinbockel, Bill
heinbockel at mitre.org
Wed Mar 14 13:21:36 UTC 2007
BUGTRAQ:20070310 NukeSentinel <= 2.5.06 SQL Injection (mysql >= 4.0.24)
Exploit
http://www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded
Appears to be similar to CVE-2007-1172:
BUGTRAQ:20070220 NukeSentinel 2.5.05 (nukesentinel.php) File Disclosure
Exploit
http://www.securityfocus.com/archive/1/archive/1/460599/100/0/threaded
Both exploits are SQL injections and the code looks remarkably similar.
However, with the release of NukeSentinel 2.5.06, the vendor attempted
to
thwart CVE-2007-1172 with a weak regex --
In nukesentinel.php (line 61):
>
if(!ereg("^([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})",
$nsnst_const['remote_ip'])) {$nsnst_const['remote_ip'] = "none"; }
So, they are checking to ensure the Client-IP HTTP Header contains a
valid IP.
Hence, the newer exploit code prepends a random dotted-quad IP address
to the start
of the SQL injection. Therefore, this is viewed by CVE as a new
vulnerability and
will be assigned a new CVE.
William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615
More information about the VIM
mailing list