search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Centreon 2.3.3 through 2.3.9-4 blind sqli injection vulnerability.

Vulnerability Note VU#856892

Original Release Date: 2012-12-12 | Last Revised: 2012-12-12

Overview

Centreon 2.3.3 through 2.3.9-4 contains a blind sql injection vulnerability.

Description

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Centreon 2.3.3 through 2.3.9-4 contains a blind sql injection vulnerability. The vulnerability is found within the menuXML.php file inside the 'menu' parameter. It was reported that by injecting a payload after the menu parameter, for example '  AND SLEEP(5) AND 'meHL'='meHL, the web application hung for 5 seconds.

Impact

A remote authenticated attacker may be able to run a subset of SQL commands against the back-end database.

Solution

Update

The vendor has stated that this vulnerability has been addressed in Centreon 2.4.0. Users are advised to update to Centreon 2.4.0 or newer.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent SQLi attacks since the attack comes as an SQL request from a legitimate user's host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.

Vendor Information

856892
 
Affected   Unknown   Unaffected

Centreon

Notified:  November 09, 2012 Updated:  December 07, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://forge.centreon.com/projects/centreon/repository/revisions/13749


CVSS Metrics

Group Score Vector
Base 6.3 AV:N/AC:M/Au:S/C:C/I:N/A:N
Temporal 4.8 E:U/RL:U/RC:UC
Environmental 1.3 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Tom Gregory of Spentera for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-5967
Date Public: 2012-12-12
Date First Published: 2012-12-12
Date Last Updated: 2012-12-12 12:37 UTC
Document Revision: 10

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.