ocsinventory: Multiple SQL-injection Vulnerabilities

Users of ocsinventory please be advised of a Multiple SQL-injection Vulnerabilities that has been identified.

To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

Amplify’d from www.criticalwatch.com

MDVSA-2010:178: [MDVSA-2010:178] ocsinventory Multiple SQL-injection Vulnerabilities

Problem Description: Multiple vulnerabilities has been found and corrected in ocsinventory: Multiple cross-site scripting (XSS) vulnerabilities in ocsreports/index.php in OCS Inventory NG 1.02.1 allow remote attackers to inject arbitrary web script or HTML via (1) the query string, (2) the BASE parameter, or (3) the ega_1 parameter. NOTE: some of these details are obtained from third party information (CVE-2010-1594). Multiple SQL injection vulnerabilities in ocsreports/index.php in OCS Inventory NG 1.02.1 allow remote attackers to execute arbitrary SQL commands via the (1) c, (2) val_1, or (3) onglet_bis parameter (CVE-2010-1595). Multiple SQL injection vulnerabilities in OCS Inventory NG before 1.02.3 allow remote attackers to execute arbitrary SQL commands via (1) multiple inventory fields to the search form, reachable through index.php; or (2) the Software name field to the All softwares search form, reachable through index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information (CVE-2010-1733). Read more at www.criticalwatch.com

 

See this Amp at http://bit.ly/aIig7q