cbcvebase.
CVE-2012-1259
published 2020-01-09

CVE-2012-1259: Multiple SQL injection vulnerabilities in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.25%
89.8th percentile
Multiple SQL injection vulnerabilities in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allow remote attackers to execute arbitrary SQL commands via the (1) addip parameter to cgi-bin/scrut_fa_exclusions.cgi, (2) getPermissionsAndPreferences parameter to cgi-bin/login.cgi, or (3) possibly certain parameters to d4d/alarms.php as demonstrated by the search_str parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
plixerscrutinizer_netflow_sflow_analyzer>= 8.6.2.16204 < 9.0.1.198999.0.1.19899

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/scrut_fa_exclusions.cgi?name%3anew28%3a28=on&name%3anew7%3a7=on&name%3anew27%3a27=on&name%3anew13%3a13=on&standalone=&name%3anew5%3a5=on&name%3anew14%3a14=on&name%3anew9%3a9=on&user_id=&name%3anew23%3a23=on&name%3anew17%3a17=on&name%3anew11%3a11=on&name%3anew24%3a24=on&addip=')%20AND%20('a'='a&name%3anew18%3a18=on&name%3anew21%3a21=on&name%3anew19%3a19=on&name%3anew22%3a22=on&nbaupdate=1&name%3anew12%3a12=on&name%3anew25%3a25=on&name%3anew2%3a2=on&name%3anew1%3a1=on&name%3anew10%3a10=on&name%3anew15%3a15=on&name%3anew26%3a26=on&name%3anew4%3a4=on&name%3anew6%3a6=on
url/cgi-bin/login.cgi?getPermissionsAndPreferences=1%20AND%20SLEEP(5)&session_id=OyAOiECuFdtRbEBY&nocache=12_13_12_734
url/d4d/alarms.php?loadAlarms=1&user_id=1&step=10&page=0&search_str=test&column=msg&fa_algorithm=all&order=modified_ts
path/cgi-bin/scrut_fa_exclusions.cgi
path/cgi-bin/login.cgi
path/d4d/alarms.php
commandaddip=') AND ('a'='a
commandgetPermissionsAndPreferences=1 AND SLEEP(5)
  • Detect blind boolean-based SQL injection against scrut_fa_exclusions.cgi by monitoring for the addip parameter containing SQL syntax such as single quotes and AND conditions; a 200 OK followed by a 500 Internal Server Error on modified payloads is a strong indicator of exploitation.
  • Detect time-based blind SQL injection against login.cgi by monitoring for the getPermissionsAndPreferences parameter containing SLEEP() calls; server response delays of ~5 seconds are indicative of successful injection.
  • Monitor requests to d4d/alarms.php for SQL comment characters (e.g., --) in the search_str, column, or order parameters; SQL errors returned by the server indicate injectable parameters.
  • Flag unauthenticated (no valid session cookie) GET requests to any of the three vulnerable CGI/PHP endpoints, as the SQL injection is exploitable without authentication.
  • ·Vulnerability confirmed on version 8.6.2.16204; other versions prior to 9.0.1.19899 may also be affected but were not explicitly confirmed.
  • ·The fix was introduced in version 9.0.1.19899; detections should be scoped to instances running versions below this build number.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.