XOOPS Core 2.5.8.1 Install DB SQL Injection

CVE
============================================
CVE-2017-11174


Credit
============================================
Nguyen Thanh Nguyen


Dates
============================================
July 11, 2017


Vendor
============================================


Product
============================================
XOOPS Core


Versions Affected
============================================
2.5.8.1 and maybe below


Risk / Severity Rating
============================================
Context-Dependent


Vulnerability Description and Impact
============================================
Unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database setting page, related to use of GBK in CHARACTER SET and COLLATE clauses.
Impact: context-dependent, force create database with bad charset and collate and may lead to SQL injection somewhere. Update charset, collate of other database in server.


Solution
============================================
Filtered data before passing to queries.

Advertisements