Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitdbRedTeam PentestingEDB-ID:25101
HistoryFeb 15, 2005 - 12:00 a.m.

CitrusDB 0.3.6 - 'importcc.php' CSV File SQL Injection

2005-02-1500:00:00
RedTeam Pentesting
www.exploit-db.com
27

AI Score

7.4

Confidence

Low

JSON
source: https://www.securityfocus.com/bid/12557/info
  
CitrusDB is reportedly affected by an access validation vulnerability during the upload of CSV files. Exploitation of this issue could result in path disclosure or SQL injection. The issue exists because the application fails to verify user credentials during file upload and import.
  
These issues are reported to affect CitrusDB 0.3.6; earlier versions may also be affected.

THe following proof of concept demonstrates the SQL injection vulnerability:
Reportedly supplying ',,,,, as the contents of the uploaded csv file will make the SQL query in './citrusdb/tools/importcc.php' fail.

Related

nvd 1
securityvulns 2
cvelist 1
cve 1
nvd
nvd
CVE-2005-0410
2005-02-14 05:00:00
securityvulns
securityvulns
[Full-Disclosure] Advisory: SQL-Injection in CitrusDB
2005-02-15 00:00:00
[Full-Disclosure] Advisory: Upload Authorization bypass in CitrusDB
2005-02-15 00:00:00
cvelist
cvelist
CVE-2005-0410
2005-02-16 05:00:00
cve
cve
CVE-2005-0410
2005-02-16 05:00:00

AI Score

7.4

Confidence

Low

JSON
Related for EDB-ID:25101
nvd1securityvulns2cvelist1cve1