thr3ads.net - Secure testing team - [Secure-testing-team] Bug#539452: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well) [Aug 2009]

If this information is useful, please help other people find it:
Share via:

Twitter
Facebook
Email

Ansgar Burchardt

2009-Aug-01 01:53 UTC

[Secure-testing-team] Bug#539452: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)

Package: gnudip
Version: 2.1.1-4.1
Severity: grave
Tags: security
Justification: user security hole

Hi,

gnudip''s web interface is vulnerable to SQL injections.  If one changes
the email address to something like

    test at example.com", level="ADMIN

one gets administrator permissions.  The server script gdips.pl also
looks prone to SQL injection attacks.

Regards,
Ansgar

Secure testing team - Aug 2009 - Bug#539452: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)

[Secure-testing-team] Bug#539452: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)