VRDA Feed by JPCERT/CC
  Vulnerability Response Decision Assistance Feed : Information for vulnerability impact analysis
[ about VRDA Feed | JPCERT/CC



 
Vulnerability Analysis Result (Revision No : 1) [ Download XML
CVE-2010-3076
smbind: The filter function in php/src/include.php in Simpl...
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3076

Original

The filter function in php/src/include.php in Simple Management for BIND (aka smbind) before 0.4.8 does not anchor a certain regular expression, which allows remote attackers to conduct SQL injection attacks and execute arbitrary SQL commands via the username parameter to the admin login page.

Translation   (Show)





About This Analysis Information
Analysis Information Provider:
NIST NVD
First Published:
2010-10-14
Source Information Category:
Advisory, Alert
Last Updated:
2010-10-14




Affected Product Tags
cpe:/a:blentz:smbind:0.2
cpe:/a:blentz:smbind:0.2.1
cpe:/a:blentz:smbind:0.3.1
cpe:/a:blentz:smbind:0.4
cpe:/a:blentz:smbind:0.4.1
cpe:/a:blentz:smbind:0.4.2
cpe:/a:blentz:smbind:0.4.3
cpe:/a:blentz:smbind:0.4.4
cpe:/a:blentz:smbind:0.4.5
cpe:/a:blentz:smbind:0.4.6
cpe:/a:blentz:smbind:0.4.7 and previous versions
 


Vulnerability Analysis Results
[Access Vector]  [?]
Undefined [?]

Local [?]
Adjacent Network [?]
X Network [?]
[Access Complexit]  [?]
Undefined [?]

High [?]
Medium [?]
X Low [?]
[Authentication]  [?]
Undefined [?]

Multiple [?]
Single [?]
X None [?]
[Confidentiality Impact]  [?]
Undefined [?]

None [?]
X Partial [?]
Complete [?]
[Integrity Impact]  [?]
Undefined [?]

None [?]
X Partial [?]
Complete [?]
[Availability Impact]  [?]
Undefined [?]

None [?]
X Partial [?]
Complete [?]
Alternatives




References
CONFIRM http://sourceforge.net/projects/smbind/files/smbind/0.4.8/smbind-0.4.8.tar.bz2/download




MISC http://packetstormsecurity.org/1009-exploits/smbind-sql.txt




MLIST [oss-security] 20100907 Re: CVE request: smbind Sql Injection




MLIST [oss-security] 20100905 CVE request: smbind Sql Injection




Vulnerability Type SQL Injection (CWE-89)




Copyright © 2010 JPCERT/CC All Rights Reserved.