Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

Does 2.5.13 fix SQL Injection in NukeSentinel 2.5.12?
 View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) v2.5.x
Author Message
oprime2001
Worker
Worker



Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA
PostPosted: Sat Sep 29, 2007 8:24 am Reply with quote
Does 2.5.13 fix the SQL injection described in http://forums.cnet.com/Software/5208-6132_102-0.html?forumID=32&threadID=265936&messageID=2594414#2594414

Quote:
NukeSentinel "write_ban()" SQL Injection
by Marianna Schmudlach Moderator - 9/28/07 8:57 AM
In reply to: VULNERABILITIES \ FIXES - September 28, 2007 by Marianna Schmudlach Moderator

Secunia Advisory: SA26990
Release Date: 2007-09-28


Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote

Solution Status: Unpatched


Software: NukeScripts NukeSentinel 2.x

Description:
Janek Vind has reported a vulnerability in NukeSentinel, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "admin" cookie in the "write_ban()" function in includes/nukesentinel.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is reported in version 2.5.12. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Janek Vind a.k.a. waraxe

Original Advisory:
http://www.waraxe.us/advisory-58.html
 
View user's profile Send private message
utssace
Worker
Worker



Joined: Feb 18, 2006
Posts: 155
Location: Virginia
PostPosted: Sat Sep 29, 2007 9:03 am Reply with quote
Yeah, I was wondering why such a fast switch from .12 to .13

Must have been a bug in .12
 
View user's profile Send private message Visit poster's website
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
PostPosted: Sat Sep 29, 2007 9:40 am Reply with quote
Yes, the SQL injections have been corrected in .13.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) v2.5.x


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©