Advisory: SQL-Injection in CitrusDB RedTeam found an SQL-Injection vulnerability in CitrusDB. Details ======= Product: CitrusDB Affected Version: 0.3.6 (verified), probably <= 0.3.5, too Immune Version: none [[Date(2005-02-03T12:50:17Z)]] OS affected: all Security-Risk: low Remote-Exploit: no Vendor-URL: http://www.citrusb.org Vendor-Status: informed Advisory-URL: http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-004 Advisory-Status: public CVE: GENERIC-MAP-NOMATCH Introduction ============ Description from vendor: "CitrusDB is an open source customer database application that uses PHP and a database backend (currently MySQL) to keep track of customer information, services, products, billing, and customer service information." CitrusDB does not filter special characters (e.g. single quotes) from uploaded csv files. More Details ============ In ./citrusdb/tools/importcc.php data from a previous uploaded csv file is inserted into the mysql database but none of the values is filtered. Proof of Concept ================ A csv file with content ',,,,, makes the SQL-Query in ./citrusdb/tools/importcc.php fail. Workaround ========== Check csv files manually for single quotes before upload. Fix === n/a Security Risk ============= The security risk is rated low because only special users may upload csv files and with this SQL injection it is only possible to inject data that could be easier injected directly through csv file. Vendor Status ============= 2005-02-04 Email sent to author 2005-02-12 CVE number requested RedTeam ======= RedTeam is a penetration testing group working at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University. You can find more Information on the RedTeam Project at http://tsyklon.informatik.rwth-aachen.de/redteam/