A SQL injection flaw was found in the way OCS Inventory NG used to process machine blacklisting based on MAC addresses. A remote attacker(valid OCS NG user) could issue a specially-crafted HTTP request, leading to sensitive information disclosure or, potentially, to arbitrary SQL code execution. References: ----------- http://seclists.org/fulldisclosure/2009/Aug/0143.html http://www.ocsinventory-ng.org/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=147&cntnt01returnid=15 PoC: ---- http://localhost/ocsreports/machine.php?systemid=1)%20union%20select%201,2,user( ),3,5,6,7,8,9,10,11,12,passwd,14,15,16,17,18,id,20,21,22,23,24,25,26,27,27,version()%20from%20operators%20-- Upstream patch: --------------- http://ocsinventory.svn.sourceforge.net/viewvc/ocsinventory/branches/server/1.02/ocsreports/machine.php?r1=1762&r2=1829&view=patch Credit: ------- Guilherme Marinheiro CVE request: ------------ http://www.openwall.com/lists/oss-security/2009/08/17/3
This issue affect the versions of ocsinventory package, as shipped with Fedora release of 10 and 11. This issue affect the versions of ocsinventory package, as shipped with Extra Packages for Enterprise Linux (EPEL-4 and EPEL-5) projects. Please fix.
ocsinventory-1.02.1-3.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/ocsinventory-1.02.1-3.fc11
ocsinventory-1.02.1-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ocsinventory-1.02.1-3.fc10
ocsinventory-1.02.1-3.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/ocsinventory-1.02.1-3.el5
ocsinventory-1.02.1-3.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/ocsinventory-1.02.1-3.el4
ocsinventory-1.02.1-3.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
ocsinventory-1.02.1-3.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
ocsinventory-1.02.1-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
ocsinventory-1.02.1-3.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 519497 has been marked as a duplicate of this bug. ***
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3042 to the following vulnerability: Name: CVE-2009-3042 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3042 Assigned: 20090901 Reference: BUGTRAQ:20090811 Sql injection in OCS Inventory NG Server 1.2.1 Reference: URL: http://www.securityfocus.com/archive/1/archive/1/505675/100/0/threaded Reference: FULLDISC:20090811 Sql injection in OCS Inventory NG Server 1.2.1 Reference: URL: http://seclists.org/fulldisclosure/2009/Aug/0143.html Reference: MILW0RM:9416 Reference: URL: http://www.milw0rm.com/exploits/9416 Reference: CONFIRM: http://www.ocsinventory-ng.org/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=147&cntnt01returnid=15 Reference: SECUNIA:35311 Reference: URL: http://secunia.com/advisories/35311 SQL injection vulnerability in machine.php in Open Computer and Software (OCS) Inventory NG 1.02.1 allows remote attackers to execute arbitrary SQL commands via the systemid parameter, a different vector than CVE-2009-3040.