DDIVRT-2011-38 KnowledgeTree login.php Blind SQL Injection Dec 07 2011 04:56PM
ddivulnalert ddifrontline com
DDIVRT-2011-38 KnowledgeTree login.php Blind SQL Injection


Date Discovered
November 18, 2011

Discovered By
Digital Defense, Inc. Vulnerability Research Team
Credit: sxkeebler and r@b13$

Vulnerability Description
The KnowledgeTree login.php login page is vulnerable to a blind SQL
injection vulnerability within the username field. An attacker can
leverage this flaw to execute arbitrary SQL commands and extract
sensitive information from the backend database using standard blind
SQL exploitation techniques. Additionally, an attacker may be able to
leverage this flaw to compromise the database server host OS.

Solution Description
KnowledgeTree has released a patch which addresses the issue. The new
source is available at:

Tested Systems / Software
KnowledgeTree Version (community edition)

Vendor Contact
Vendor Name: KnowledgeTree, Inc.
Vendor Website: http://www.knowledgetree.com/

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus