CVE-2007-0347 - OpenCVE

The is_eow function in format.c in CVSTrac before 2.0.1 does not properly check for the "'" (quote) character, which allows remote authenticated users to execute limited SQL injection attacks and cause a denial of service (database error) via a ' character in certain messages, tickets, or Wiki entries.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cvstrac	Cvstrac

Configuration 1 [-]

OR	cpe:2.3:a:cvstrac:cvstrac::::::::
	cpe:2.3:a:cvstrac:cvstrac:1.1:::::::*
	cpe:2.3:a:cvstrac:cvstrac:1.1.1:::::::*
	cpe:2.3:a:cvstrac:cvstrac:1.1.2:::::::*
	cpe:2.3:a:cvstrac:cvstrac:1.1.3:::::::*
	cpe:2.3:a:cvstrac:cvstrac:1.1.4:::::::*

No data.

References

Link	Providers
http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/052058.html
http://osvdb.org/31935
http://secunia.com/advisories/23940
http://securityreason.com/securityalert/2192
http://www.cvstrac.org/cvstrac/chngview?cn=850
http://www.cvstrac.org/cvstrac/tktview?tn=683
http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.008.html
http://www.securityfocus.com/archive/1/458455/100/0/threaded
http://www.securityfocus.com/bid/22296
http://www.vupen.com/english/advisories/2007/0398

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-01-29T20:00:00

Updated: 2024-08-07T12:12:18.211Z

Reserved: 2007-01-18T00:00:00

Link: CVE-2007-0347

Vulnrichment

No data.

NVD

Status : Modified

Published: 2007-01-29T20:28:00.000

Modified: 2018-10-16T16:32:18.603

Link: CVE-2007-0347

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-01-29T00:00:00", "descriptions": [{"lang": "en", "value": "The is_eow function in format.c in CVSTrac before 2.0.1 does not properly check for the \"'\" (quote) character, which allows remote authenticated users to execute limited SQL injection attacks and cause a denial of service (database error) via a ' character in certain messages, tickets, or Wiki entries."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-16T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "ADV-2007-0398", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/0398"}, {"name": "2192", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/2192"}, {"name": "31935", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/31935"}, {"name": "20070129 CVSTrac 2.0.0 Denial of Service (DoS) vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/052058.html"}, {"name": "20070129 CVSTrac 2.0.0 Denial of Service (DoS) vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/458455/100/0/threaded"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.cvstrac.org/cvstrac/chngview?cn=850"}, {"name": "22296", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/22296"}, {"name": "OpenPKG-SA-2007.008", "tags": ["vendor-advisory", "x_refsource_OPENPKG"], "url": "http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.008.html"}, {"name": "23940", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/23940"}, {"tags": ["x_refsource_MISC"], "url": "http://www.cvstrac.org/cvstrac/tktview?tn=683"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-0347", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The is_eow function in format.c in CVSTrac before 2.0.1 does not properly check for the \"'\" (quote) character, which allows remote authenticated users to execute limited SQL injection attacks and cause a denial of service (database error) via a ' character in certain messages, tickets, or Wiki entries."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "ADV-2007-0398", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2007/0398"}, {"name": "2192", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/2192"}, {"name": "31935", "refsource": "OSVDB", "url": "http://osvdb.org/31935"}, {"name": "20070129 CVSTrac 2.0.0 Denial of Service (DoS) vulnerability", "refsource": "FULLDISC", "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/052058.html"}, {"name": "20070129 CVSTrac 2.0.0 Denial of Service (DoS) vulnerability", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/458455/100/0/threaded"}, {"name": "http://www.cvstrac.org/cvstrac/chngview?cn=850", "refsource": "CONFIRM", "url": "http://www.cvstrac.org/cvstrac/chngview?cn=850"}, {"name": "22296", "refsource": "BID", "url": "http://www.securityfocus.com/bid/22296"}, {"name": "OpenPKG-SA-2007.008", "refsource": "OPENPKG", "url": "http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.008.html"}, {"name": "23940", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/23940"}, {"name": "http://www.cvstrac.org/cvstrac/tktview?tn=683", "refsource": "MISC", "url": "http://www.cvstrac.org/cvstrac/tktview?tn=683"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T12:12:18.211Z"}, "title": "CVE Program Container", "references": [{"name": "ADV-2007-0398", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2007/0398"}, {"name": "2192", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/2192"}, {"name": "31935", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/31935"}, {"name": "20070129 CVSTrac 2.0.0 Denial of Service (DoS) vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/052058.html"}, {"name": "20070129 CVSTrac 2.0.0 Denial of Service (DoS) vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/458455/100/0/threaded"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.cvstrac.org/cvstrac/chngview?cn=850"}, {"name": "22296", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/22296"}, {"name": "OpenPKG-SA-2007.008", "tags": ["vendor-advisory", "x_refsource_OPENPKG", "x_transferred"], "url": "http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.008.html"}, {"name": "23940", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/23940"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.cvstrac.org/cvstrac/tktview?tn=683"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-0347", "datePublished": "2007-01-29T20:00:00", "dateReserved": "2007-01-18T00:00:00", "dateUpdated": "2024-08-07T12:12:18.211Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cvstrac:cvstrac:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3F42760-C4F3-4929-9377-1C207F5F7DED", "versionEndIncluding": "2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cvstrac:cvstrac:1.1:*:*:*:*:*:*:*", "matchCriteriaId": "BB739BB5-9DEE-43BF-8EC8-1567B3E28C46", "vulnerable": true}, {"criteria": "cpe:2.3:a:cvstrac:cvstrac:1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "DFAB0125-7125-48D0-84A8-B4BAD15BEFA7", "vulnerable": true}, {"criteria": "cpe:2.3:a:cvstrac:cvstrac:1.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "382BAF58-3E11-475A-9453-9FA0CC55BA8F", "vulnerable": true}, {"criteria": "cpe:2.3:a:cvstrac:cvstrac:1.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "A82DCEFC-77F1-4FD3-9825-A779160BD3C0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cvstrac:cvstrac:1.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "E31C434A-D807-4397-B794-7BEC4C0898B9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The is_eow function in format.c in CVSTrac before 2.0.1 does not properly check for the \"'\" (quote) character, which allows remote authenticated users to execute limited SQL injection attacks and cause a denial of service (database error) via a ' character in certain messages, tickets, or Wiki entries."}, {"lang": "es", "value": "La funci\u00f3n is_eow en format.c de CVSTrac anterior a 2.0.1 no comprueba adecuadamente el car\u00e1cter \"'\" (comilla simple), lo cual permite a usuarios autenticados remotamente ejecutar ataques de inyecci\u00f3n SQL limitados y provocar denegaci\u00f3n de servicio (error de base de datos) mediante un car\u00e1cter ' en determinados mensajes, tiques, o entradas de Wiki."}], "evaluatorComment": "The DoS vulnerability exists because the is_eow() function in \"format.c\" does NOT just check the FIRST character of the supplied string for an End-Of-Word terminating character, but instead iterates over string and this way can skip a single embedded quotation mark. The is_repository_file() function then in turn assumes that the filename string can never contain a single quotation mark and traps into a SQL escaping problem.", "evaluatorImpact": "An SQL injection via this technique is somewhat limited as is_eow() bails on whitespace. So while one _can_ do an SQL injection, one is limited to SQL queries containing only characters which get past the function isspace(3). This effectively limits attacks to SQL commands like \"VACUUM\".", "evaluatorSolution": "Successful remote unauthenticated exploit requires that CVSTrac is explicitly configured to allow anonymous users to add tickets (it is not by default).", "id": "CVE-2007-0347", "lastModified": "2018-10-16T16:32:18.603", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-01-29T20:28:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/052058.html"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/31935"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/23940"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/2192"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.cvstrac.org/cvstrac/chngview?cn=850"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.cvstrac.org/cvstrac/tktview?tn=683"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.008.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/458455/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/22296"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2007/0398"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}