PT-2010-3491 · Clansphere · Clansphere

Stefan Esser

Published

2010-05-07

Updated

2017-08-17

CVE-2010-1865

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions ClanSphere versions 2009.0.3 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the IP address to the cs getip function in generate.php within the Captcha module, or through the s email parameter to the cs sql select function in the MySQL database driver (mysql.php).

Recommendations For ClanSphere versions 2009.0.3 and earlier, as a temporary workaround, consider restricting access to the Captcha module and the MySQL database driver until a patch is available. Avoid using the s email parameter in the affected MySQL database driver until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2010-1865

Affected Products

Clansphere

PT-2010-3491 · Clansphere · Clansphere

CVE-2010-1865

Weakness Enumeration

Related Identifiers

Affected Products

References · 13