Advisory: SQL-Injection in CitrusDB 

RedTeam found an SQL-Injection vulnerability in CitrusDB.

### Details

- Product: CitrusDB
- Affected Version: 0.3.6 (verified), probably \<= 0.3.5, too
- Immune Version: none (2005-02-03)
- OS affected: all
- Security-Risk: low
- Remote-Exploit: no
- Vendor-URL: `http://www.citrusb.org`
- Vendor-Status: informed
- Advisory-URL: `https://www.redteam-pentesting.de/advisories/rt-sa-2005-004`
- Advisory-Status: public
- CVE: CAN-2005-0410
- (`https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0410#`)

### Introduction

Description from vendor: "CitrusDB is an open source customer database
application that uses PHP and a database backend (currently MySQL) to keep
track of customer information, services, products, billing, and customer
service information."

CitrusDB does not filter special characters (e.g. single quotes) from
uploaded csv files.

### More Details

In ./citrusdb/tools/importcc.php data from a previous uploaded csv file is
inserted into the mysql database but none of the values is filtered.

### Proof of Concept

A csv file with content

',,,,,

makes the SQL-Query in ./citrusdb/tools/importcc.php fail.

### Workaround

Check csv files manually for single quotes before upload.

### Fix

n/a

### Security Risk

The security risk is rated low because only special users may upload csv
files and with this SQL injection it is only possible to inject data that
could be easier injected directly through csv file.

### History

- 2005-02-04 Email sent to author
- 2005-02-12 CVE number requested
- 2005-02-14 posted as CAN-2005-0410
- 2009-05-08 Updated Advisory URL

### RedTeam

RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find more
information on the RedTeam Project at
`https://www.redteam-pentesting.de`