製品・ソフトウェアに関する情報

JVN脆弱性詳細

CVSTrac の format.c の is_eow 関数におけるサービス運用妨害 (DoS) の脆弱性

Title	CVSTrac の format.c の is_eow 関数におけるサービス運用妨害 (DoS) の脆弱性
Summary	CVSTrac の format.c の is_eow 関数は、"'" (引用符) 文字を適切にチェックしないため、特定の SQL インジェクション攻撃を実行される、およびサービス運用妨害 (データベースエラー) 状態となる脆弱性が存在します。
Possible impacts	リモート認証されたユーザにより、特定のメッセージ、チケット、または Wiki エントリ内の "'" 文字を介して、特定の SQL インジェクション攻撃を実行される、およびサービス運用妨害 (データベースエラー) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Jan. 29, 2007, midnight
Registration Date	June 26, 2012, 3:46 p.m.
Last Update	June 26, 2012, 3:46 p.m.

Affected System

cvstrac

cvstrac 2.0.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2007-0347	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0347
National Vulnerability Database (NVD)
2	CVE-2007-0347	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0347

ベンダー情報

No	Name	URL
cvstrac
1	Top Page	http://www.cvstrac.org/index.html/doc/trunk/www/index.html

Change Log

No	Changed Details	Date of change
0	[2012年06月26日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2007-0347

Summary	The is_eow function in format.c in CVSTrac before 2.0.1 does not properly check for the "'" (quote) character, which allows remote authenticated users to execute limited SQL injection attacks and cause a denial of service (database error) via a ' character in certain messages, tickets, or Wiki entries.
Summary	An SQL injection via this technique is somewhat limited as is_eow() bails on whitespace. So while one _can_ do an SQL injection, one is limited to SQL queries containing only characters which get past the function isspace(3). This effectively limits attacks to SQL commands like "VACUUM".
Summary	The DoS vulnerability exists because the is_eow() function in "format.c" does NOT just check the FIRST character of the supplied string for an End-Of-Word terminating character, but instead iterates over string and this way can skip a single embedded quotation mark. The is_repository_file() function then in turn assumes that the filename string can never contain a single quotation mark and traps into a SQL escaping problem.
Summary	Successful remote unauthenticated exploit requires that CVSTrac is explicitly configured to allow anonymous users to add tickets (it is not by default).
Publication Date	Jan. 30, 2007, 5:28 a.m.
Registration Date	Jan. 29, 2021, 2:05 p.m.
Last Update	Oct. 17, 2018, 1:32 a.m.

Affected software configurations

Related information, measures and tools

No	URL	refsource	タグ
1	http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/052058.html	FULLDISC	Patch Vendor Advisory
2	http://osvdb.org/31935	OSVDB
3	http://secunia.com/advisories/23940	SECUNIA
4	http://securityreason.com/securityalert/2192	SREASON
5	http://www.cvstrac.org/cvstrac/chngview?cn=850	CONFIRM	Patch Vendor Advisory
6	http://www.cvstrac.org/cvstrac/tktview?tn=683	MISC	Patch Vendor Advisory
7	http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.008.html	OPENPKG	Vendor Advisory
8	http://www.securityfocus.com/archive/1/458455/100/0/threaded	BUGTRAQ
9	http://www.securityfocus.com/bid/22296	BID
10	http://www.vupen.com/english/advisories/2007/0398	VUPEN

Common Vulnerabilities List