BID:25827

NukeSentinel NukeSentinel.PHP SQL Injection Vulnerability

Info

NukeSentinel NukeSentinel.PHP SQL Injection Vulnerability

Bugtraq ID:	25827
Class:	Input Validation Error
CVE:	CVE-2007-5150
Remote:	Yes
Local:	No
Published:	Sep 27 2007 12:00AM
Updated:	May 07 2015 05:35PM
Credit:	Janek Vind "waraxe" is credited with the discovery of this vulnerability.
Vulnerable:	NukeScripts NukeSentinel 2.5.11

Not Vulnerable:	NukeScripts NukeSentinel 2.5.12

Discussion

NukeSentinel NukeSentinel.PHP SQL Injection Vulnerability

NukeSentinel is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

NukeSentinel 2.5.11 is vulnerable; other versions may also be affected.

Exploit / POC

NukeSentinel NukeSentinel.PHP SQL Injection Vulnerability

Attackers can use a browser to exploit this issue.

Solution / Fix

NukeSentinel NukeSentinel.PHP SQL Injection Vulnerability

Solution:
The vendor released NukeSentinel 2.5.12 to address this issue. Please see the references for more information.

References

NukeSentinel NukeSentinel.PHP SQL Injection Vulnerability

References:

Download Profile: NukeSentinel(tm) 2.5.12 66-81 (NukeScripts)
NukeScripts NukeSentinel Homepage (NukeScripts)
Another Sql Injection in NukeSentinel 2.5.11 (Janek Vind "wareaxe")