CVE-2012-5694

Name of the Vulnerable Software and Affected Versions Bulb Security Smartphone Pentest Framework (SPF) versions prior to 0.1.3

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via various parameters to different scripts within the frameworkgui directory, including agentPhNo, controlPhNo, agentURLPath, agentControlKey, platformDD1, modemPhoneNo, controlKey, appURLPath, agentsDD, and modemNoDD. The affected scripts include attach2Agents.pl, attachMobileModem.pl, escalatePrivileges.pl, getContacts.pl, getDatabase.pl, sendSMS.pl, takePic.pl, SEAttack.pl, and CSAttack.pl.

Recommendations For versions prior to 0.1.3, update to version 0.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable parameters and scripts until a patch is applied. Specifically, avoid using the parameters agentPhNo, controlPhNo, agentURLPath, agentControlKey, platformDD1, modemPhoneNo, controlKey, appURLPath, agentsDD, and modemNoDD in the affected API endpoints until the issue is resolved. Restrict access to the scripts in the frameworkgui directory to minimize the risk of exploitation.