Vulners
Lucene search
Task Freak 0.6.2 SQL Injection
🗓️ 29 Apr 2010 00:00:00Reported by Justin C. Klein KeaneType 
packetstorm🔗 packetstormsecurity.com👁 29 Views
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | CVE-2010-1583 | 29 Apr 201000:00 | – | circl |
 | CVE-2010-1583 | 5 May 201018:00 | – | cve |
 | CVE-2010-1583 | 5 May 201018:00 | – | cvelist |
 | TaskFreak 0.6.2 - SQL Injection | 29 Apr 201000:00 | – | exploitdb |
 | EUVD-2010-1610 | 7 Oct 202500:30 | – | euvd |
 | TaskFreak 0.6.2 - SQL Injection | 29 Apr 201000:00 | – | exploitpack |
 | CVE-2010-1583 | 6 May 201012:47 | – | nvd |
 | TaskFreak! < 0.6.3 SQLi Vulnerability | 25 May 201000:00 | – | openvas |
| Task Freak 'loadByKey()' SQL Injection Vulnerability | 25 May 201000:00 | – | openvas |
 | Sql injection | 6 May 201012:47 | – | prion |
10
`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2010-1583
Vendor notified and product update released.
Details of this report are also available at
http://www.madirish.net/?article=456
Description of Vulnerability:
- ------------------------------
The Tirzen Framework (http://www.tirzen.net/tzn/) is a supporting API
developed by Tirzen (http://www.tirzen.com), an intranet and internet
solutions provider. The Tirzen Framework contains a SQL injection
vulnerability (http://www.owasp.org/index.php/SQL_Injection). This
vulnerability could allow an attacker to arbitrarily manipulate SQL
strings constructed using the library. This vulnerability manifests
itself most notably in the Task Freak (http://www.taskfreak.com/) open
source task management software. The vulnerability can be exploited to
bypass authentication and gain administrative access to the Task Freak
system.
Systems affected:
- ------------------
Task Freak Multi User / mySQL v0.6.2 with Tirzen Framework 1.5 was
tested and shown to be vulnerable.
Impact
- -------
Attackers could manipulate database query strings resulting in
information disclosure, data destruction, authentication bypass, etc.
Technical discussion and proof of concept:
- -------------------------------------------
Tirzen Framework class TznDbConnection in the function loadByKey()
(tzn_mysql.php line 605) manifests a SQL injection vulnerability because
it fails to sanitize user supplied input used to compose SQL statements.
Proof of concept: any user can log into TaskFreak as the administrator
simply by using the username "1' or 1='1"
Vendor response:
- ----------------
Upgrade to the latest version of TaskFreak.
- --
Justin C. Klein Keane
http://www.MadIrish.net
The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iPwEAQECAAYFAkvZkBcACgkQkSlsbLsN1gCGigcAkzmJCFyLWGJwM+MSm73YKPMq
NDPDzQZUdMZY9YpDWauL7GThIg6y8jfXd4NNdmIZ9yYr+ko7g7hFT4EnkKDlokj9
PVmZBIgysIycECu+XbcvJlNJLxE1g6rHHsSdvo0vn8mnDQeLWoALWrhaR661S4Ok
3Yel45wQNly2Y4b82lEL1/myLWwqoPP/zspM0Sm21mTCWStfCX0QCyZGYNUmlccI
2ci/7gT8tBNjWR3OAsznyIMi345IPAMMCfa6UDKKkv/wJCIwab4vxx/C+SGViDh8
of2kOYgowgmputYKeso=
=RMcJ
-----END PGP SIGNATURE-----
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Apr 2010 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.00784