"value":"The is_eow function in format.c in CVSTrac before 2.0.1 does not properly check for the \"'\" (quote) character, which allows remote authenticated users to execute limited SQL injection attacks and cause a denial of service (database error) via a ' character in certain messages, tickets, or Wiki entries."
},
{
"lang":"es",
"value":"La funci\u00f3n is_eow en format.c de CVSTrac anterior a 2.0.1 no comprueba adecuadamente el car\u00e1cter \"'\" (comilla simple), lo cual permite a usuarios autenticados remotamente ejecutar ataques de inyecci\u00f3n SQL limitados y provocar denegaci\u00f3n de servicio (error de base de datos) mediante un car\u00e1cter ' en determinados mensajes, tiques, o entradas de Wiki."
"evaluatorComment":"The DoS vulnerability exists because the is_eow() function in \"format.c\" does NOT just check the FIRST character of the supplied string for an End-Of-Word terminating character, but instead iterates over string and this way can skip a single embedded quotation mark. The is_repository_file() function then in turn assumes that the filename string can never contain a single quotation mark and traps into a SQL escaping problem.",
"evaluatorSolution":"Successful remote unauthenticated exploit requires that CVSTrac is explicitly configured to allow anonymous users to add tickets (it is not by default).",
"evaluatorImpact":"An SQL injection via this technique is somewhat limited as is_eow() bails on whitespace. So while one _can_ do an SQL injection, one is limited to SQL queries containing only characters which get past the function isspace(3). This effectively limits attacks to SQL commands like \"VACUUM\"."
