ID CVE-2006-4212 Type cve Reporter cve@mitre.org Modified 2017-07-20T01:32:00
Description
SQL injection vulnerability in b0zz and Chris Vincent Owl Intranet Engine 0.90 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
{"osvdb": [{"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "description": "## Solution Description\nUpgrade to version 0.91 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\nVendor URL: http://owl.sourceforge.net/\nVendor Specific News/Changelog Entry: http://sourceforge.net/tracker/index.php?func=detail&aid=1540643&group_id=9444&atid=309444\n[Secunia Advisory ID:21519](https://secuniaresearch.flexerasoftware.com/advisories/21519/)\n[Related OSVDB ID: 27964](https://vulners.com/osvdb/OSVDB:27964)\nOther Advisory URL: http://jvn.jp/jp/JVN%2339103264/index.html\nOther Advisory URL: http://jvn.jp/jp/JVN%2301137722/index.html\nFrSIRT Advisory: ADV-2006-3285\n[CVE-2006-4212](https://vulners.com/cve/CVE-2006-4212)\nBugtraq ID: 19552\n", "modified": "2006-08-15T09:49:54", "published": "2006-08-15T09:49:54", "href": "https://vulners.com/osvdb/OSVDB:27965", "id": "OSVDB:27965", "type": "osvdb", "title": "Owl Intranet Engine lib/owl.lib.php SQL Injection", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:09:21", "bulletinFamily": "scanner", "description": "The remote host is running Owl Intranet Engine, a web-based document management system written in PHP. \n\nThe version of Owl Intranet Engine on the remote host fails to sanitize input to the session id cookie before using it in a database query. Provided PHP's 'magic_quotes_gpc' setting is disabled, an unauthenticated attacker may be able to exploit this issue to uncover sensitive information such as password hashes, modify data, launch attacks against the underlying database, etc. \n\nIn addition, the application reportedly suffers from at least one cross-site scripting issue.", "modified": "2018-07-24T00:00:00", "id": "OWL_091.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=22232", "published": "2006-08-17T00:00:00", "title": "Owl Intranet Engine <= 0.91 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22232);\n script_version(\"1.16\");\n\n script_cve_id(\"CVE-2006-4211\", \"CVE-2006-4212\");\n script_bugtraq_id(19552);\n\n script_name(english:\"Owl Intranet Engine <= 0.91 Multiple Vulnerabilities\");\n script_summary(english:\"Checks for SQL injection flaw in Owl Intranet Engine\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is prone to\nseveral issues.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Owl Intranet Engine, a web-based document\nmanagement system written in PHP. \n\nThe version of Owl Intranet Engine on the remote host fails to\nsanitize input to the session id cookie before using it in a database\nquery. Provided PHP's 'magic_quotes_gpc' setting is disabled, an\nunauthenticated attacker may be able to exploit this issue to uncover\nsensitive information such as password hashes, modify data, launch\nattacks against the underlying database, etc. \n\nIn addition, the application reportedly suffers from at least one\ncross-site scripting issue.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://sourceforge.net/forum/forum.php?forum_id=601910\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the patch referenced in the vendor advisory above.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/08/17\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/08/15\");\n script_cvs_date(\"Date: 2018/07/24 18:56:10\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80, embedded: 0);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Loop through directories.\nif (thorough_tests) dirs = list_uniq(make_list(\"/owl\", \"/intranet\", cgi_dirs()));\nelse dirs = make_list(cgi_dirs());\n\nforeach dir (dirs) {\n set_http_cookie(name: \"owl_sessid\", value: \"'\"+SCRIPT_NAME);\n # Try to exploit the flaw to generate a SQL syntax error.\n r = http_send_recv3(method: \"GET\", item:string(dir, \"/index.php\"), port:port);\n if (isnull(r)) exit(0);\n\n # There's a problem if we see an error message with our script name.\n if (string(\"sessions where sessid = ''\", SCRIPT_NAME) >< r[2])\n {\n security_hole(port);\n\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
