- Description
- The is_eow function in format.c in CVSTrac before 2.0.1 does not properly check for the "'" (quote) character, which allows remote authenticated users to execute limited SQL injection attacks and cause a denial of service (database error) via a ' character in certain messages, tickets, or Wiki entries.
- Source
- cve@mitre.org
- NVD status
- Modified
CVSS 2.0
- Type
- Primary
- Base score
- 4.3
- Impact score
- 2.9
- Exploitability score
- 8.6
- Vector string
- AV:N/AC:M/Au:N/C:N/I:N/A:P
- Hype score
- Not currently trending
- Comment
- The DoS vulnerability exists because the is_eow() function in "format.c" does NOT just check the FIRST character of the supplied string for an End-Of-Word terminating character, but instead iterates over string and this way can skip a single embedded quotation mark. The is_repository_file() function then in turn assumes that the filename string can never contain a single quotation mark and traps into a SQL escaping problem.
- Impact
- An SQL injection via this technique is somewhat limited as is_eow() bails on whitespace. So while one _can_ do an SQL injection, one is limited to SQL queries containing only characters which get past the function isspace(3). This effectively limits attacks to SQL commands like "VACUUM".
- Solution
- An SQL injection via this technique is somewhat limited as is_eow() bails on whitespace. So while one _can_ do an SQL injection, one is limited to SQL queries containing only characters which get past the function isspace(3). This effectively limits attacks to SQL commands like "VACUUM".
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cvstrac:cvstrac:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E3F42760-C4F3-4929-9377-1C207F5F7DED",
"versionEndIncluding": "2.0"
},
{
"criteria": "cpe:2.3:a:cvstrac:cvstrac:1.1:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "BB739BB5-9DEE-43BF-8EC8-1567B3E28C46"
},
{
"criteria": "cpe:2.3:a:cvstrac:cvstrac:1.1.1:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DFAB0125-7125-48D0-84A8-B4BAD15BEFA7"
},
{
"criteria": "cpe:2.3:a:cvstrac:cvstrac:1.1.2:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "382BAF58-3E11-475A-9453-9FA0CC55BA8F"
},
{
"criteria": "cpe:2.3:a:cvstrac:cvstrac:1.1.3:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A82DCEFC-77F1-4FD3-9825-A779160BD3C0"
},
{
"criteria": "cpe:2.3:a:cvstrac:cvstrac:1.1.4:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E31C434A-D807-4397-B794-7BEC4C0898B9"
}
],
"operator": "OR"
}
]
}
]