Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x
Author Message
oprime2001
Worker
Worker


Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA

PostPosted: Sat Sep 29, 2007 8:24 am Reply with quote

Does 2.5.13 fix the SQL injection described in Only registered users can see links on this board! Get registered or login!

Quote:
NukeSentinel "write_ban()" SQL Injection
by Marianna Schmudlach Moderator - 9/28/07 8:57 AM
In reply to: VULNERABILITIES \ FIXES - September 28, 2007 by Marianna Schmudlach Moderator

Secunia Advisory: SA26990
Release Date: 2007-09-28


Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote

Solution Status: Unpatched


Software: NukeScripts NukeSentinel 2.x

Description:
Janek Vind has reported a vulnerability in NukeSentinel, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "admin" cookie in the "write_ban()" function in includes/nukesentinel.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is reported in version 2.5.12. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Janek Vind a.k.a. waraxe

Original Advisory: Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
utssace
Worker
Worker


Joined: Feb 18, 2006
Posts: 155
Location: Virginia

PostPosted: Sat Sep 29, 2007 9:03 am Reply with quote

Yeah, I was wondering why such a fast switch from .12 to .13

Must have been a bug in .12
 
View user's profile Send private message Visit poster's website
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Sat Sep 29, 2007 9:40 am Reply with quote

Yes, the SQL injections have been corrected in .13.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©