lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201404060643.s366hJEA018345@sf01web1.securityfocus.com>
Date: Sun, 6 Apr 2014 06:43:19 GMT
From: tudor.enache@...pag.com
To: bugtraq@...urityfocus.com
Subject: Pearson eSIS Enterprise Student Information System SQL Injection

Advisory ID: hag201478
Product: Pearson eSIS Enterprise Student Information System
Vendor: PearsonVue
Vulnerable Version(s): Any version
Advisory Publication: April 06, 2014
Vendor Notification: March 05, 2014
Public Disclosure: April 06, 2014
Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command [CWE-89]
CVE Reference: CVE-2014-1455
Risk Level: Medium
CVSSv2 Base Score: 6.4 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Solution not yet released
Discovered and Provided: Ali Hussein and Tudor Enache from Help AG Middle East

------------------------------------------------------------------------

-----------------------

about the vendor:
Pearson VUE provides a full suite of services from test development to data management, and delivers exams through the world’s most comprehensive and secure network of test centers in 175 countries. Pearson VUE is a business of Pearson (NYSE: PSO; LSE: PSON), the world's leading learning company.

Advisory Details:

During a Pentest Help AG discovered the following:
SQL Injection in password reset. The context in which the unsanitized new password was sent was an “ALTER USER” statement. We were able to lock/unlock the current user, grant database level roles and guess tablespaces and users by creating custom SQL commands

1) SQL Injection in Pearson eSIS Enterprise Student Information System password reset: CVE-2014-1455

To reproduce the issue any user can access the passwor reset functionality, intercept the request with a local http proxy and change the new password with any payload that is suitable in an ALTER USER oracle statement.

By using the above technique hacker could be able to: lock/unlock current account, guess proxy users, guess tablespaces, guess tablespaces, users, roles and alter the authentication type of the current user

--------------------------------------------------

-----------------------

Solution:

The vendor was notified, contact the vendor for the patch details

------------------------------------------------------------------------

-----------------------

References:

[1] help AG middle East http://www.helpag.com/.
[2] Peason eSIS http://www.pearsonschoolsystems.com/products/esis/
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

------------------------------------------------------------------------

-----------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ