BNLug - Pentaho BI Project Multiple Unspecified SQL Injection Vulnerabilities

Pentaho BI Project Multiple Unspecified SQL Injection Vulnerabilities

TITLE: Pentaho BI Project Multiple Unspecified SQL Injection Vulnerabilities
CLASS: Input Validation Error
CVE:
REMOTE: Yes
LOCAL: No
PUBLISHED: Oct 30 2006 12:00AM
UPDATE: Oct 31 2006 05:02PM
CREDIT: These issues were disclosed by the vendor.
VULNERABLE:

Pentaho BI 1.2 RC2

NOT VULNERABLE:

Pentaho BI 1.2 RC3

Vai alla pagina originale su Security Focus

Discussion

Pentaho BI Project is prone to multiple unspecified SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in SQL queries.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

Exploit

Attackers can exploit this issue via a web client.

Solution

Solution:
The vendor addressed these issues in version 1.2 RC3.

References

References:

Pentaho Homepage (Pentaho)
Stable Build - Release Candidate 3 (ver. 1.2.0 RC3) Release Notes (Pentaho)

Pentaho BI Project Multiple Unspecified SQL Injection Vulnerabilities

Discussion

Exploit

Solution

References

PhpLog

BNLug Benevento Linux Users Group

Menu Principale

Staff

Partner

Link