Vigil@nce - Centreon: SQL injection via an HTTP request
December 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can insert SQL statements into a parameter of an HTTP
request, in order to bypass access control to the database.
Impacted products: Centreon
Severity: 2/4
Creation date: 13/12/2012
DESCRIPTION OF THE VULNERABILITY
The product Centreon includes a Web application.
The page menuXML.php defines a query parameter named menu.
However, the application does not rightly validate the value
received from the HTTP client, which allows an attacker to modify
the statement that the application send.
An attacker can therefore insert SQL statements into a parameter
of an HTTP request, in order to bypass access control to the
database.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Centreon-SQL-injection-via-an-HTTP-request-12232