lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 2 May 2011 09:44:27 -0700
From: VSR Advisories <advisories@...curity.com>
To: "'full-disclosure\@lists\.grok\.org\.uk'"
	<full-disclosure@...ts.grok.org.uk>
Subject: Re: ZDI-11-143: Cisco Unified CallManager
 xmldirectorylist.jsp SQL Injection Vulnerability


Hello,

VSR independently discovered this SQL injection flaw (CVE-2011-1610)
and reported it to Cisco on November 11, 2010.  Since we had very
limited time to preform testing on the product, and because Cisco
informed us that another researcher had reported the same flaw shortly
before us, we decided not to write a formal advisory.

However, I would like to add some additional technical information for
those who need to test for this flaw to determine if they are
vulnerable.  

During our tests on version 7.1.3.32900-4 of the product, we found
that SQL query errors generated by attacks causes the vulnerable JSP
script to return no records, but does not present any error message.
To confirm the injection existed, the result from the following two
query URLs were compared:

 /ccmcip/xmldirectorylist.jsp?f=vsr'||0/1%20OR%201=1))%20--

 /ccmcip/xmldirectorylist.jsp?f=vsr'||1/0%20OR%201=1))%20--

The first URL returns a very large record set (likely all user
records) while the second query returns no records.  The only
difference between the two being the order in which '0' and '1' appear
in the query, with the latter generating a divide-by-zero error.  It
is likely that a simpler test case can be developed, but this is what
we came up with during very limited testing.  We did not explore
injections on the l and n parameters.

Thank you,
tim

http://www.vsecurity.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists