Vulnerabilities > CVE-2007-0347 - Remote Denial of Service vulnerability in CVSTrac

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
cvstrac
nessus
exploit available

Summary

The is_eow function in format.c in CVSTrac before 2.0.1 does not properly check for the "'" (quote) character, which allows remote authenticated users to execute limited SQL injection attacks and cause a denial of service (database error) via a ' character in certain messages, tickets, or Wiki entries. An SQL injection via this technique is somewhat limited as is_eow() bails on whitespace. So while one _can_ do an SQL injection, one is limited to SQL queries containing only characters which get past the function isspace(3). This effectively limits attacks to SQL commands like "VACUUM". The DoS vulnerability exists because the is_eow() function in "format.c" does NOT just check the FIRST character of the supplied string for an End-Of-Word terminating character, but instead iterates over string and this way can skip a single embedded quotation mark. The is_repository_file() function then in turn assumes that the filename string can never contain a single quotation mark and traps into a SQL escaping problem. Successful remote unauthenticated exploit requires that CVSTrac is explicitly configured to allow anonymous users to add tickets (it is not by default).

Exploit-Db

descriptionCVSTrac 2.0.0 Post-Attack Database Resurrection DoS Exploit. CVE-2007-0347. Dos exploit for cgi platform
idEDB-ID:3223
last seen2016-01-31
modified2007-01-29
published2007-01-29
reporterRalf S. Engelschall
sourcehttps://www.exploit-db.com/download/3223/
titleCVSTrac 2.0.0 - Post-Attack Database Resurrection DoS Exploit

Nessus

NASL familyCGI abuses
NASL idCVSTRAC_OUTPUT_FORMATTER_DOS.NASL
descriptionAccording to its version number, the version of CVSTrac installed on the remote host contains a flaw related to its Wiki-style text output formatter that may allow an attacker to cause a partial denial of service, depending on the pages requested, via limited SQL injection.
last seen2020-06-01
modified2020-06-02
plugin id24263
published2007-01-30
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/24263
titleCVSTrac Text Output Formatter SQL Injection DoS
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(24263);
 script_version("1.15");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

 script_cve_id("CVE-2007-0347");
 script_bugtraq_id(22296);

 script_name(english:"CVSTrac Text Output Formatter SQL Injection DoS");
 script_summary(english:"Checks CVSTrac version");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a CGI script or is itself subject to a
denial of service attack.");
 script_set_attribute(attribute:"description", value:
"According to its version number, the version of CVSTrac installed on
the remote host contains a flaw related to its Wiki-style text output
formatter that may allow an attacker to cause a partial denial of
service, depending on the pages requested, via limited SQL injection.");
 script_set_attribute(attribute:"see_also", value:"http://www.cvstrac.org/cvstrac/tktview?tn=683");
 script_set_attribute(attribute:"see_also", value:"http://www.cvstrac.org/cvstrac/chngview?cn=850");
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/458455/30/0/threaded");
 script_set_attribute(attribute:"solution", value:"Upgrade to CVSTrac 2.0.1 or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2007/01/29");
 script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/30");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2007-2020 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");

 script_dependencie("cvstrac_detect.nasl");
 script_require_keys("Settings/ParanoidReport");
 script_require_ports("Services/www", 80);

 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("http_func.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_http_port(default:80, embedded:TRUE);
kb = get_kb_item("www/" + port + "/cvstrac" );
if ( ! kb ) exit(0);
stuff = eregmatch(pattern:"(.*) under (.*)", string:kb );
version = stuff[1];
if(ereg(pattern:"^([01]\.|2\.0\.0[^0-9.]?)", string:version))
	security_warning(port);