R-336: XSS and SQL Injection in Cisco CallManager/Unified Communications Manager Logo
Cisco CallManager and Unified Communications Manager are vulnerable to cross-site Scripting (XSS) and SQL Injection attacks in the lang variable of the admin and user logon pages. The risk is MEDIUM. A successful attack may allow an attacker to run JavaScript on computer systems connecting to CallManager or Unified Communications Manager servers, and has the potential to disclose information within the database.
Mods please move if posted in wrong section, I wasnt sure where to ask this one.
There are several of us that use an open source program called yiimp, https://github.com/tpruvot/yiimp
several of our sites were attacked last night and I am reaching out to you guys to see if then vulnerability... (0 Replies)
I want to grep/awk /var/log/httpd/mysite-access_log.log and check if 2 words from the following appear in a single line:
benchmark
union
information_schema
drop
truncate
group_concat
into
file
case
hex
lpad
group
order
having
insert
union
select
from (12 Replies)
ODBC_PREPARE(3) 1 ODBC_PREPARE(3)odbc_prepare - Prepares a statement for executionSYNOPSIS
resource odbc_prepare (resource $connection_id, string $query_string)
DESCRIPTION
Prepares a statement for execution. The result identifier can be used later to execute the statement with odbc_execute(3).
Some databases (such as IBM DB2, MS SQL Server, and Oracle) support stored procedures that accept parameters of type IN, INOUT, and OUT as
defined by the ODBC specification. However, the Unified ODBC driver currently only supports parameters of type IN to stored procedures.
PARAMETERS
o $connection_id
-The ODBC connection identifier, see odbc_connect(3) for details.
o $query_string
- The query string statement being prepared.
RETURN VALUES
Returns an ODBC result identifier if the SQL command was prepared successfully. Returns FALSE on error.
EXAMPLES
Example #1
odbc_execute(3) and odbc_prepare(3) example
In the following code, $success will only be TRUE if all three parameters to myproc are IN parameters:
<?php
$a = 1;
$b = 2;
$c = 3;
$stmt = odbc_prepare($conn, 'CALL myproc(?,?,?)');
$success = odbc_execute($stmt, array($a, $b, $c));
?>
If you need to call a stored procedure using INOUT or OUT parameters, the recommended workaround is to use a native extension for your
database (for example, mssql for MS SQL Server, or oci8 for Oracle).
SEE ALSO odbc_execute(3).
PHP Documentation Group ODBC_PREPARE(3)