Login Sign Up

CVE-2012-1259

9.8 CRITICAL
SQL Injection

📋 TL;DR

This CVE describes multiple SQL injection vulnerabilities in Plixer International's Scrutinizer NetFlow & sFlow Analyzer that allow remote attackers to execute arbitrary SQL commands. Attackers can exploit these vulnerabilities through specific CGI scripts and PHP files to potentially gain unauthorized access to the database. Organizations running affected versions of Scrutinizer are vulnerable to these attacks.

💻 Affected Systems

Products:
  • Plixer International Scrutinizer NetFlow & sFlow Analyzer
Versions: Versions before 9.0.1.19899, specifically including 8.6.2.16204
Operating Systems: Any OS running Scrutinizer (typically Linux-based)
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability affects multiple CGI scripts and PHP files that are typically accessible in default installations.

📦 What is this software?

Scrutinizer Netflow \& Sflow Analyzer by Plixer

View all CVEs affecting Scrutinizer Netflow \& Sflow Analyzer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Scrutinizer system leading to full database access, credential theft, data exfiltration, and potential lateral movement to connected network infrastructure.

🟠

Likely Case

Unauthorized database access allowing attackers to view, modify, or delete sensitive network flow data, user credentials, and system configuration information.

🟢

If Mitigated

Limited impact with proper network segmentation and database permissions, potentially allowing only read access to non-sensitive data.

🌐 Internet-Facing: HIGH - The vulnerable CGI scripts are typically exposed to network traffic, making internet-facing instances particularly vulnerable to remote exploitation.
🏢 Internal Only: HIGH - Even internally deployed instances are vulnerable to attacks from compromised internal hosts or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploit scripts are available, and exploitation requires minimal technical skill due to the straightforward SQL injection vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.0.1.19899 and later

Vendor Advisory: https://www.plixer.com/support/security-advisories/

Restart Required: Yes

Instructions:

1. Download Scrutinizer version 9.0.1.19899 or later from Plixer support portal. 2. Backup current configuration and database. 3. Stop Scrutinizer services. 4. Install the updated version. 5. Restart services and verify functionality.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns targeting the vulnerable endpoints

# Example ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"

Access Restriction

linux

Restrict network access to Scrutinizer web interface using firewall rules

# Example iptables rule: iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
# Example iptables rule: iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Scrutinizer from untrusted networks
  • Deploy a web application firewall with SQL injection detection rules in front of Scrutinizer

🔍 How to Verify

Check if Vulnerable:

Check Scrutinizer version via web interface admin panel or by examining installed files. Versions below 9.0.1.19899 are vulnerable.

Check Version:

Check web interface at /admin/ or examine /usr/local/scrutinizer/version.txt on Linux systems

Verify Fix Applied:

Verify version is 9.0.1.19899 or higher and test vulnerable endpoints with safe SQL injection test payloads to confirm they're no longer exploitable.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts followed by SQL error messages
  • Access to /cgi-bin/scrut_fa_exclusions.cgi with SQL-like parameters

Network Indicators:

  • HTTP requests containing SQL keywords (UNION, SELECT, INSERT) to vulnerable endpoints
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND (uri="/cgi-bin/scrut_fa_exclusions.cgi" OR uri="/cgi-bin/login.cgi" OR uri="/d4d/alarms.php") AND (query="*addip*" OR query="*getPermissionsAndPreferences*" OR query="*search_str*") AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*")

📊 Metadata

CVE ID: CVE-2012-1259
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: January 9, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2012-1259, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)