DSA-2103Executive Summary
| Summary | |
|---|---|
| Title | New smbind packages fix sql injection |
| Informations | |||
|---|---|---|---|
| Name | DSA-2103 | First vendor Publication | 2010-09-05 |
| Vendor | Debian | Last vendor Modification | 2010-09-05 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentification | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
It was discovered that smbind, a PHP-based tool for managing DNS zones for BIND, does not properly validating input. An unauthenticated remote attacker could execute arbitrary SQL commands or gain access to the admin account. For the stable distribution (lenny), this problem has been fixed in version 0.4.7-3+lenny1. For the unstable distribution (sid), this problem has been fixed in version 0.4.7-5, and will migrate to the testing distribution (squeeze) shortly. We recommend that you upgrade your smbind (0.4.7-3+lenny1) package. |
Original Source
| Url : http://www.debian.org/security/2010/dsa-2103 |
CWE : Common Weakness Enumeration
| id | Name |
|---|---|
| CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 11 |
Open Source Vulnerability Database (OSVDB)
| id | Description |
|---|---|
| 67829 | Simple Management for BIND main.php username Parameter SQL Injection |
(High)
