Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2006-1930

Overview

Vulnerability Score 6.4 6.4
CVE Id CVE-2006-1930
Last Modified 03 Nov 2008 01:18:01
Published 20 Apr 2006 02:06:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2006-1930

Summary

** DISPUTED ** Multiple SQL injection vulnerabilities in userscript.php in Green Minute 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) huserid, (2) pituus, or (3) date parameters. NOTE: this issue has been disputed by the vendor, saying "those parameters mentioned ARE checked (preg_match) before they are used in SQL-query... If someone decided to add SQL-injection stuff to certain parameter, they would see an error text, but only because _nothing_ was passed inside that parameter (to MySQL-database)." As allowed by the vendor, CVE investigated this report on 20060525 and found that the demo site demonstrated a non-sensitive SQL error when given standard SQL injection manipulations.

Vulnerable Systems

Application

  • Hoito Green Minute 1.0


References

XF - greenminute-userscript-sql-injection(25942)

OSVDB - 25207

MISC - http://pridels0.blogspot.com/2006/04/green-minute-sql-inj-vuln.html

MISC - http://osvdb.org/ref/25/25207-dispute.txt

MISC - http://hoito.org/en/products/


Last Updated: 27 May 2016 10:42:16