lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <56E21ABB-D235-4A08-8339-20B6E51075D8@ddifrontline.com>
Date: Tue, 19 Jun 2012 10:21:58 -0500
From: ddivulnalert <ddivulnalert@...frontline.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: DDIVRT-2012-45 SolarWinds Network Performance
	Monitor Blind SQL Injection

Title
-----
DDIVRT-2012-45 SolarWinds Network Performance Monitor Blind SQL Injection

Severity
--------
High

Date Discovered
---------------
April 26, 2012

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: r@...$

Vulnerability Description
-------------------------
The SolarWinds Orion Network Performance Monitor 9.1 and prior
contains a blind SQL injection flaw on the 'Login.asp' page. An
attacker can leverage this flaw to execute arbitrary SQL commands and
extract sensitive information from the backend database using standard
blind SQL injection exploitation techniques.

This vulnerability applies to installations that have been upgraded
from version 9.1 or prior. Fresh installations and migrations starting
with version 9.5 do not contain this vulnerability.

Solution Description
--------------------
SolarWinds has addressed the issue in releases subsequent to and
including version 9.5 and has provided the following options to
resolve the issue:

1. Upgrade to the latest version of Network Performance Monitor
2. Manually delete the 'Login.asp' page from the vulnerable
installation – the vulnerable page has not been used for several
versions but does not get removed through the application of upgrades.

Please contact SolarWinds support for assistance in addressing the
issue.

Tested Systems / Software
-------------------------
SolarWinds Orion Network Performance Monitor 9.1

Vendor Contact
--------------
Vendor Name: SolarWinds
Vendor Website: http://www.solarwinds.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ