[Secure-testing-team] Bug#539452: gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)
Ansgar Burchardt
ansgar at 2008.43-1.org
Sat Aug 1 01:53:05 UTC 2009
Package: gnudip
Version: 2.1.1-4.1
Severity: grave
Tags: security
Justification: user security hole
Hi,
gnudip's web interface is vulnerable to SQL injections. If one changes
the email address to something like
test at example.com", level="ADMIN
one gets administrator permissions. The server script gdips.pl also
looks prone to SQL injection attacks.
Regards,
Ansgar
More information about the Secure-testing-team
mailing list