[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <c5e1ab9.3cfa9b3ecaf820b0492c686619138058@slender.xnite.org>
Date: Fri, 5 Jul 2013 06:26:50 +0000
From: xnite@...te.org
To: full-disclosure@...ts.grok.org.uk
Subject: eResourcePlanner Authentication Bypass/SQL
Injection
I have been trying to contact the ERP company for the past year with a bug
which could affect dozens of companies including cell phone providers, call
centers, and more.
eResourcePlanner provides resource planning software to companies, which
are hosted on their own subdomain "rp4me.com".
The SQL injection was stumbled upon during a legitimate login attempt in
which I received an SQL error by accidentally typing an ' into my password.
With minimal research it was not difficult to find that the username table
on the MySQL database was "userid".
Any client could simply put the following string (replacing username with
their actual username or a portion of a username) into the username portion
of the login field, and be logged in from that point as any user they would
like.
The string is on it's own line as follows:
a' OR userid like '%username%' OR 'a
Given that the username, or first match of the string given in the like
statement matches an active account, you will be logged in now as that
user.
Other more minor security issues that I would like to point out are seen
within an actual SQL error which looks like the following:
[MySQL][ODBC 5.1 Driver][mysqld-5.5.9-log]You have an error in your SQL
syntax; check the manual that corresponds to your MySQL server version for
the right syntax to use near '''' AND lcase(Password) = ''' at line 1
Things that need to pointed out here are listed below:
* A production machine should never be displaying the contents of an SQL
error, this is a primary way an attacker may discover a vulnerability.
* lcase(Password) shows us that no matter what password is given, it is
converted to lower-case lettering anyway, disallowing what might be
considered a "strong password". This makes brute-forcing passwords much
easier.
* The error string displays the version of the MySQL Server Daemon, which
could be used to find other potential vulnerabilities to compromise the
daemon.
* MySQL Server Daemon is out of date, 5.5.9 was released February of 2011.
FOR THE RECORD:
I have not used this vulnerability with any malicious intent, and
everything I touched was perfectly legal/ethical. I used this to login to
only my account, and those of which I had permission to do so. I have tried
to go the safe route for over a year and disclose this privately with the
company providing the software (eresourceplanner.com) with no response
back, and I have decided at this point that it's better to make it public
and hope that it will be fixed, than to keep it private while those with
malicious intent may already be a ghost in the system.
---
R. Whitney - Independent IT ConsultantPhone: (347)674-4835
Postal: PO Box 5984, Bloomington, IL 61702-5984
Other: My Blog (http://xnite.org) / LinkedIn
(http://www.linkedin.com/in/whitneyr) / Twitter (http://twitter.com/xnite)
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists