CVE-2011-5272 in Domain Technologie Control
Summary
by MITRE
SQL injection vulnerability in Domain Technologie Control (DTC) before 0.34.1 allows remote authenticated users to execute arbitrary SQL commands via the vps_note parameter to dtcadmin/logPushlet.php. NOTE: this issue was originally part of CVE-2011-3197, but that ID was SPLIT due to different researchers.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/08/2026
The vulnerability identified as CVE-2011-5272 represents a critical SQL injection flaw within Domain Technologie Control (DTC) software version 0.34.0 and earlier. This security weakness resides in the dtcadmin/logPushlet.php component where the vps_note parameter fails to properly sanitize user input before incorporating it into database queries. The vulnerability affects remote authenticated users who can leverage this flaw to execute arbitrary SQL commands against the underlying database system, potentially leading to complete system compromise.
This vulnerability directly maps to CWE-89, which specifically addresses SQL injection weaknesses in software applications. The flaw occurs when user-supplied data flows directly into SQL query construction without adequate validation or escaping mechanisms, creating an attack surface where malicious actors can manipulate database operations. The authentication requirement for exploitation means that attackers must first establish legitimate credentials, but once obtained, they can leverage this vulnerability to escalate privileges and access sensitive data. The operational impact extends beyond simple data theft, as attackers can modify database contents, create new database accounts, or even execute system commands depending on the database server configuration and the privileges of the database user account.
The technical exploitation of this vulnerability requires an attacker to authenticate to the DTC system with valid credentials and then craft malicious input for the vps_note parameter. When submitted through the logPushlet.php endpoint, the unsanitized input gets directly embedded into SQL queries, allowing attackers to inject additional SQL statements that can manipulate the database as if they were executing legitimate administrative commands. This type of vulnerability aligns with ATT&CK technique T1071.005 for application layer protocol usage and T1190 for exploitation of remote services, representing a classic case of improper input validation leading to database compromise. The attack vector is particularly concerning because it operates within the administrative interface, potentially providing access to sensitive system information and configuration data that would otherwise be restricted to authorized personnel only.
Organizations affected by this vulnerability should immediately upgrade to DTC version 0.34.1 or later, which includes proper input sanitization measures for the vps_note parameter. Additionally, implementing proper parameterized queries and input validation techniques can prevent similar issues in other applications. Network segmentation and access controls should be enforced to limit administrative access to only necessary personnel, reducing the potential impact of credential compromise. Regular security assessments and code reviews focusing on input validation practices can help identify and remediate similar vulnerabilities before they can be exploited by malicious actors. Database activity monitoring should also be implemented to detect anomalous SQL query patterns that might indicate exploitation attempts.