| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat Apr 9 03:36:59 2005 From: greyhat007 at gmail.com (grey hat) Subject: [ISR] - SiteProtector Console Sql-Injection Its www.iss.net and not www.iss.com.... On Apr 8, 2005 12:25 PM, Francisco Amato <famato@...obyte.com.ar> wrote: > || > || [ISR] > || Infobyte Security Research > || www.infobyte.com.ar > || 04.08.2005 > || > > .:: SUMMARY > > ISS - SiteProtector Console Sql-Injection > > Version: 2.0.5.690, It is suspected that all previous versions of > SiteProtector Console > are vulnerable. > > .:: BACKGROUND > > SiteProtector is a security management system that provides a centralized > view and analysis of network, > server, and desktop protection agents and appliances. > > http://www.iss.com > > .:: DESCRIPTION > > A Sql-injection vulnerability affect SiteProtector Console > This issue is due to a failure of the application to securely copy > user-supplied data into > fields "Tag Name" and "Object Name" of Incidents/Exception that user create > or modify. > > Simple string use: "'" > > Error that display when it make the injection: > > ######################BEGIN############################ > > A Database or SQL Error occurred while working with Site Rules. > net.iss.rssp.gui.site.analysis.exceptions.CommonSiteRuleException > at > net.iss.rssp.gui.site.analysis.AnalysisDataManager.throwCommonSiteRuleExcept > ion(AnalysisDataManager.java:442) > at > net.iss.rssp.gui.site.analysis.AnalysisDataManager.createSiteFilter(Analysis > DataManager.java:350) > at > net.iss.rssp.gui.site.analysis.command.AddEditSiteRuleCommand.execute(AddEdi > tSiteRuleCommand.java:48) > at > net.iss.command.CommandTemplate.templateExecute(CommandTemplate.java:179) > at net.iss.command.CommandHandler.executeCommand(CommandHandler.java:148) > at net.iss.command.CommandHandler.run(CommandHandler.java:116) > > A database error occurred in the method "createNewSiteRule". > net.iss.rssp.entity.exceptions.SiteRuleException > at > net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java: > 357) > at > net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke > rImpl.java:211) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at > net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav > a:22) > at > net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java > :114) > at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source) > at sun.rmi.transport.Transport$1.run(Unknown Source) > at java.security.AccessController.doPrivileged(Native Method) > at sun.rmi.transport.Transport.serviceCall(Unknown Source) > at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source) > at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source) > at java.lang.Thread.run(Unknown Source) > > Database Error > SQL State = 42000 > Vendor code = 105 > Vendor msg = [42000][Microsoft][ODBC SQL Server Driver][SQL > Server]Unclosed quotation mark before the character > string '') > AND NOT EXISTS (SELECT 1 > FROM ObservanceSiteFilters OSF WITH (NOLOCK) > WHERE OSF.ObservanceID = OB.ObservanceID > AND OSF.SiteFilterRuleID = 853)'. > > net.iss.rssp.db.DataAccessException > at > net.iss.rssp.server.database.DatabaseObjectHandlerBase.handleSQLException(Da > tabaseObjectHandlerBase.java:75) > at > net.iss.rssp.server.database.SiteFilterHandler.write(SiteFilterHandler.java: > 134) > at > net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java: > 348) > at > net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke > rImpl.java:211) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at > net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav > a:22) > at > net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java > :114) > at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source) > at sun.rmi.transport.Transport$1.run(Unknown Source) > at java.security.AccessController.doPrivileged(Native Method) > at sun.rmi.transport.Transport.serviceCall(Unknown Source) > at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source) > at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source) > at java.lang.Thread.run(Unknown Source) > > Error Inserting into table ObservanceSiteFilters Code: 52000 DB Key: 0 > > java.sql.SQLException: [42000][Microsoft][ODBC SQL Server Driver][SQL > Server]Unclosed quotation mark before the > character string '') > AND NOT EXISTS (SELECT 1 > FROM ObservanceSiteFilters OSF WITH (NOLOCK) > WHERE OSF.ObservanceID = OB.ObservanceID > AND OSF.SiteFilterRuleID = 853)'. > > at ids.sql.IDSSocket.error(IDSSocket.java:325) > at ids.sql.IDSSocket.verify(IDSSocket.java:270) > at ids.sql.IDSPrepared.execute(IDSPrepared.java:578) > at ids.sql.IDSPrepared.execute(IDSPrepared.java:559) > at > net.iss.rssp.server.database.SiteFilterHandler.write(SiteFilterHandler.java: > 103) > at > net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java: > 348) > at > net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke > rImpl.java:211) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at > net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav > a:22) > at > net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java > :114) > at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source) > at sun.rmi.transport.Transport$1.run(Unknown Source) > at java.security.AccessController.doPrivileged(Native Method) > at sun.rmi.transport.Transport.serviceCall(Unknown Source) > at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source) > at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source) > at java.lang.Thread.run(Unknown Source) > > java.sql.SQLException: [42000][Microsoft][ODBC SQL Server Driver][SQL > Server]Unclosed quotation mark before the > character string '') > AND NOT EXISTS (SELECT 1 > FROM ObservanceSiteFilters OSF WITH (NOLOCK) > WHERE OSF.ObservanceID = OB.ObservanceID > AND OSF.SiteFilterRuleID = 853)'. > > at ids.sql.IDSSocket.error(IDSSocket.java:325) > at ids.sql.IDSSocket.verify(IDSSocket.java:270) > at ids.sql.IDSPrepared.execute(IDSPrepared.java:578) > at ids.sql.IDSPrepared.execute(IDSPrepared.java:559) > at > net.iss.rssp.server.database.SiteFilterHandler.write(SiteFilterHandler.java: > 103) > at > net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java: > 348) > at > net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke > rImpl.java:211) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at > net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav > a:22) > at > net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java > :114) > at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source) > at sun.rmi.transport.Transport$1.run(Unknown Source) > at java.security.AccessController.doPrivileged(Native Method) > at sun.rmi.transport.Transport.serviceCall(Unknown Source) > at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source) > at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source) > at java.lang.Thread.run(Unknown Source) > > java.sql.SQLException: [42000][Microsoft][ODBC SQL Server Driver][SQL > Server]Line 10: Incorrect syntax near '') > AND NOT EXISTS (SELECT 1 > FROM ObservanceSiteFilters OSF WITH (NOLOCK) > WHERE OSF.ObservanceID = OB.ObservanceID > AND O'. > > at ids.sql.IDSSocket.error(IDSSocket.java:325) > at ids.sql.IDSSocket.verify(IDSSocket.java:270) > at ids.sql.IDSPrepared.execute(IDSPrepared.java:578) > at ids.sql.IDSPrepared.execute(IDSPrepared.java:559) > at > net.iss.rssp.server.database.SiteFilterHandler.write(SiteFilterHandler.java: > 103) > at > net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java: > 348) > at > net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke > rImpl.java:211) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at > net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav > a:22) > at > net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java > :114) > at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source) > at sun.rmi.transport.Transport$1.run(Unknown Source) > at java.security.AccessController.doPrivileged(Native Method) > at sun.rmi.transport.Transport.serviceCall(Unknown Source) > at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source) > at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source) > at java.lang.Thread.run(Unknown Source) > > #######################END############################# > > .:: EXTRA > > We did not find any way to perform any unautorized actions or gain > additional privileges > > .:: DISCLOSURE TIMELINE > > 04/01/2005 Initial vendor notification > 04/06/2005 Initial vendor response > 04/08/2005 Public disclosure > > .:: CREDIT > > Francisco Amato is credited with discovering this vulnerability. > famato][at][infobyte][dot][com][dot][ar > > .:: LEGAL NOTICES > > Copyright (c) 2005 by [ISR] Infobyte Security Research. > Permission to redistribute this alert electronically is granted as long as > it is not > edited in any way unless authorized by Infobyte Security Research Response. > Reprinting the whole or part of this alert in any medium other than > electronically > requires permission from infobyte com ar > > Disclaimer > The information in the advisory is believed to be accurate at the time of > publishing > based on currently available information. Use of the information constitutes > acceptance > for use in an AS IS condition. There are no warranties with regard to this > information. > Neither the author nor the publisher accepts any liability for any direct, > indirect, or > consequential loss or damage arising from use of, or reliance on, this > information. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
Powered by blists - more mailing lists