Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
TitleNew smbind packages fix sql injection
Informations
NameDSA-2103First vendor Publication2010-09-05
VendorDebianLast vendor Modification2010-09-05
Severity (Vendor) N/ARevision1

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score7.5Attack RangeNetwork
Cvss Impact Score6.4Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

It was discovered that smbind, a PHP-based tool for managing DNS zones for BIND, does not properly validating input. An unauthenticated remote attacker could execute arbitrary SQL commands or gain access to the admin account.

For the stable distribution (lenny), this problem has been fixed in version 0.4.7-3+lenny1.

For the unstable distribution (sid), this problem has been fixed in version 0.4.7-5, and will migrate to the testing distribution (squeeze) shortly.

We recommend that you upgrade your smbind (0.4.7-3+lenny1) package.

Original Source

Url : http://www.debian.org/security/2010/dsa-2103

CWE : Common Weakness Enumeration

idName
CWE-89Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application11

OpenVAS Exploits

DateDescription
2010-12-09Name : Simple Management BIND Admin Login Page SQL Injection Vulnerability
File : nvt/gb_smbind_admin_login_sql_inj_vuln.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
67829Simple Management for BIND main.php username Parameter SQL Injection

Nessus® Vulnerability Scanner

DateDescription
2010-09-06Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2103.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:29:39
  • Multiple Updates