ID CVE-2007-0347
Summary The is_eow function in format.c in CVSTrac before 2.0.1 does not properly check for the "'" (quote) character, which allows remote authenticated users to execute limited SQL injection attacks and cause a denial of service (database error) via a ' character in certain messages, tickets, or Wiki entries. An SQL injection via this technique is somewhat limited as is_eow() bails on whitespace. So while one _can_ do an SQL injection, one is limited to SQL queries containing only characters which get past the function isspace(3). This effectively limits attacks to SQL commands like "VACUUM". The DoS vulnerability exists because the is_eow() function in "format.c" does NOT just check the FIRST character of the supplied string for an End-Of-Word terminating character, but instead iterates over string and this way can skip a single embedded quotation mark. The is_repository_file() function then in turn assumes that the filename string can never contain a single quotation mark and traps into a SQL escaping problem. Successful remote unauthenticated exploit requires that CVSTrac is explicitly configured to allow anonymous users to add tickets (it is not by default).
References
Vulnerable Configurations
  • cpe:2.3:a:cvstrac:cvstrac:1.1:*:*:*:*:*:*:*
    cpe:2.3:a:cvstrac:cvstrac:1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:cvstrac:cvstrac:1.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:cvstrac:cvstrac:1.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:cvstrac:cvstrac:1.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:cvstrac:cvstrac:1.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:cvstrac:cvstrac:1.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:cvstrac:cvstrac:1.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:cvstrac:cvstrac:1.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:cvstrac:cvstrac:1.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:cvstrac:cvstrac:*:*:*:*:*:*:*:*
    cpe:2.3:a:cvstrac:cvstrac:*:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 16-10-2018 - 16:32)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:N/A:P
refmap via4
bid 22296
bugtraq 20070129 CVSTrac 2.0.0 Denial of Service (DoS) vulnerability
confirm http://www.cvstrac.org/cvstrac/chngview?cn=850
fulldisc 20070129 CVSTrac 2.0.0 Denial of Service (DoS) vulnerability
misc http://www.cvstrac.org/cvstrac/tktview?tn=683
openpkg OpenPKG-SA-2007.008
osvdb 31935
secunia 23940
sreason 2192
vupen ADV-2007-0398
Last major update 16-10-2018 - 16:32
Published 29-01-2007 - 20:28
Back to Top