CVE-2012-5694
Description
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.pl; the (6) modemPhoneNo, (7) controlKey, or (8) appURLPath parameter to frameworkgui/attachMobileModem.pl; the agentsDD parameter to (9) escalatePrivileges.pl, (10) getContacts.pl, (11) getDatabase.pl, (12) sendSMS.pl, or (13) takePic.pl in frameworkgui/; or the modemNoDD parameter to (14) escalatePrivileges.pl, (15) getContacts.pl, (16) getDatabase.pl, (17) SEAttack.pl, (18) sendSMS.pl, (19) takePic.pl, or (20) CSAttack.pl in frameworkgui/.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — https://twitter.com/georgiaweidman/statuses/269138431567855618
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| bulbsecurity | smartphone_pentest_framework | 0.1.2 | |
References
- http://osvdb.org/87324
- http://osvdb.org/87325
- http://secunia.com/advisories/51414
- https://twitter.com/georgiaweidman/statuses/269138431567855618
- https://www.htbridge.com/advisory/HTB23123
- http://osvdb.org/87324
- http://osvdb.org/87325
- http://secunia.com/advisories/51414
- https://twitter.com/georgiaweidman/statuses/269138431567855618
- https://www.htbridge.com/advisory/HTB23123
CWEs
CWE-89
Verify integrity in audit chain (admin only). AS-IS.