Vulnerability Note VU#856892
Centreon 2.3.3 through 2.3.9-4 blind sqli injection vulnerability.
Overview
Centreon 2.3.3 through 2.3.9-4 contains a blind sql injection vulnerability.
Description
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Centreon 2.3.3 through 2.3.9-4 contains a blind sql injection vulnerability. The vulnerability is found within the menuXML.php file inside the 'menu' parameter. It was reported that by injecting a payload after the menu parameter, for example ' AND SLEEP(5) AND 'meHL'='meHL, the web application hung for 5 seconds. |
Impact
A remote authenticated attacker may be able to run a subset of SQL commands against the back-end database. |
Solution
Update |
Restrict access |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Centreon | Affected | 09 Nov 2012 | 07 Dec 2012 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 6.3 | AV:N/AC:M/Au:S/C:C/I:N/A:N |
| Temporal | 4.8 | E:U/RL:U/RC:UC |
| Environmental | 1.3 | CDP:L/TD:L/CR:ND/IR:ND/AR:ND |
References
- http://cwe.mitre.org/data/definitions/89.html
- http://www.centreon.com/Content-Download/donwload-centreon
- http://forge.centreon.com/projects/centreon/repository/revisions/13749
Credit
Thanks to Tom Gregory of Spentera for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
- CVE IDs: CVE-2012-5967
- Date Public: 12 Dec 2012
- Date First Published: 12 Dec 2012
- Date Last Updated: 12 Dec 2012
- Document Revision: 10
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.