CVE-2008-6114 : Detail

CVE-2008-6114

SQL Injection
A03-Injection
0.06%V3
Network
2009-02-11
16h25 +00:00
2017-09-28
10h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

SQL injection vulnerability in product_details.php in the Mytipper Zogo-shop 1.15.4 plugin for e107 allows remote attackers to execute arbitrary SQL commands via the product parameter.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 7184

Publication date : 2008-11-21 23h00 +00:00
Author : NoGe
EDB Verified : Yes

========================================================================================= [o] ZoGo-Shop e107 plugins 1.15.4 SQL Injection Vulnerability Software : ZoGo-Shop plugin version 1.15.4 Vendor : http://e107.org/ Download : http://plugins.e107.org/e107_plugins/psilo/psilo.php?artifact.89 Author : NoGe Contact : noge[dot]code[at]gmail[dot]com Blog : http://evilc0de.blogspot.com ========================================================================================= [o] Vulnerable file e107_plugins/zogo-shop/product_details.php $product_ID=$_GET["product"]; [o] Exploit http://localhost/[path]/e107_plugins/zogo-shop/product_details.php?product=[SQL] [o] Dork "Powered by ZoGo-Shop" or "e107_plugins/zogo-shop/product_details.php" ========================================================================================= [o] Greetz MainHack BrotherHood [ http://serverisdown.org/blog/] Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa H312Y yooogy mousekill }^-^{ kaka11 martfella skulmatic olibekas ulga Cungkee k1tk4t str0ke ========================================================================================= # milw0rm.com [2008-11-22]

Products Mentioned

Configuraton 0

Mytipper>>Zogo_shop >> Version 1.15.4

    E107>>E107 >> Version *

    References

    https://www.exploit-db.com/exploits/7184
    Tags : exploit, x_refsource_EXPLOIT-DB
    http://secunia.com/advisories/32795
    Tags : third-party-advisory, x_refsource_SECUNIA
    http://www.securityfocus.com/bid/32423
    Tags : vdb-entry, x_refsource_BID