Executive Summary

Summary
Title New smbind packages fix sql injection
Informations
Name DSA-2103 First vendor Publication 2010-09-05
Vendor Debian Last vendor Modification 2010-09-05
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

It was discovered that smbind, a PHP-based tool for managing DNS zones for BIND, does not properly validating input. An unauthenticated remote attacker could execute arbitrary SQL commands or gain access to the admin account.

For the stable distribution (lenny), this problem has been fixed in version 0.4.7-3+lenny1.

For the unstable distribution (sid), this problem has been fixed in version 0.4.7-5, and will migrate to the testing distribution (squeeze) shortly.

We recommend that you upgrade your smbind (0.4.7-3+lenny1) package.

Original Source

Url : http://www.debian.org/security/2010/dsa-2103

CWE : Common Weakness Enumeration

idName
CWE-89Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application11

OpenVAS Exploits

DateDescription
2010-12-09Name : Simple Management BIND Admin Login Page SQL Injection Vulnerability
File : nvt/gb_smbind_admin_login_sql_inj_vuln.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
67829Simple Management for BIND main.php username Parameter SQL Injection

Nessus® Vulnerability Scanner

DateDescription
2010-09-06Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2103.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:29:39
  • Multiple Updates