CVE-2009-3040

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Multiple SQL injection vulnerabilities in Open Computer and Software (OCS) Inventory NG 1.02 for Unix allow remote attackers to execute arbitrary SQL commands via the (1) N, (2) DL, (3) O and (4) V parameters to download.php and the (5) SYSTEMID parameter to group_show.php.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-8836 webapps php verified text · 1 KB

Nico Leidecker · 2009-06-01

OCS Inventory NG 1.02 - Multiple SQL Injections

text exploit Source: Exploit-DB

OCS Inventory NG - Multiple SQL Injections (May 30 2009)
_______________________________________________________________________________


* Product

  Open Computer and Software (OCS) Inventory NG
  (http://www.ocsinventory-ng.org/)

* Vulnerable Versions

  OCS Inventory NG 1.02 (Unix)


* Vendor Status

  Vendor has been notified and the vulnerability has been fixed.


* Details

  The Open Computer and Software (OCS) Inventory Next Generation (NG)
provides relevant inventory information about system configurations and
software on the network. The server can be managed using a web
interface. It was found that the application does not properly sanitize
user input which results into multiple SQL injections.

  Affected are the following scripts:

  - download.php (parameters `N', `DL', `O' and `V')
  - group_show.php (parameter `SYSTEMID');

* Impact

  Attackers may be able to manipulate SQL statements in such a way that
they can retrieve, create or modify information stored in the database.
Furthermore, the SQL injection might allow attackers to get a foothold
on the underlying system.

* Exploit

  The vulnerability can be exploited by just using a web browser:

	http://example.org/ocsreports/download.php?n=1&dl=2&o=3&v=4'union+all+select+concat(id,':',passwd)+from+operators%23

# milw0rm.com [2009-06-01]

OS impact

Debian Fixed 3 releases

Version	Status	Fixed in
sid	Fixed	`1.02.1-2`
bullseye	Fixed	`1.02.1-2`
bookworm	Fixed	`1.02.1-2`

References

https://security-tracker.debian.org/tracker/CVE-2009-3040

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.