lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <F0476408-6C74-490F-A22C-8F75A7A2EEFE@gmail.com>
Date: Tue, 30 Jun 2015 01:24:21 +0200
From: Blazej Adamczyk <blazej.adamczyk@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] ManageEngine Password Manager Pro 8.1 SQL Injection
	vulnerability

Title: ManageEngine Password Manager Pro SQL 8.1 Injection vulnerability
Author: Blazej Adamczyk (br0x)
Date: 2015-06-30
Download site: https://www.manageengine.com/products/passwordmanagerpro/download.html
Version: 8.1 and below
Vendor: https://www.manageengine.com/products/passwordmanagerpro/
Vendor Notified: 2015-06-30
Vendor Contact: passwordmanagerpro-support@...ageengine.com

Description:
An authenticated user (even the guest user) is able to execute arbitrary SQL code using a forged request to the SQLAdvancedALSearchResult.cc.
The SQL query is build manually and is not escaped properly in the AdvanceSearch.class of AdventNetPassTrix.jar.

Details:
The problem is with escaping the operator when more then one condition is specified in the advanced search. The broken url:
https://localhost:7272/STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc?ANDOR=***HERE_INJECT***&condition_1=Ptrx_Resource@...OURCENAME&operator_1=CONTAINS&value_1=asd&condition_2=Ptrx_Resource@...OURCENAME&operator_2=CONTAINS&value_2=asd2&FLAG=TRUE&COUNT=2&USERID=***USERID***&ADVSEARCH=true&SUBREQUEST=XMLHTTP


--
Regards,
Blazej Adamczyk
blazej.adamczyk@...il.com
PGP: 0x7423F7B7 (pgp.mit.edu)
Fingerprint=CBAF 608A E20B 06F2 C172  A853 B70E 6F79 7423 F7B7









Download attachment "signature.asc" of type "application/pgp-signature" (496 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ