lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAMEbvH9_Q18_u8YYCruf4ONcODVzqihEKyOSKnamPkLwOxTDjw@mail.gmail.com> Date: Tue, 27 Mar 2018 11:12:11 -0600 From: Hate Shape <hateshape@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Blind SQL Injection in Square 9 GlobalForms <= 6.2.x (CVE-2018-8820) # Blind SQL Injection in Square 9 GlobalForms <= 6.2.x (CVE-2018-8820) ## Product Description GlobalForms® is Square 9’s powerful web forms product. GlobalForms can live separate of GlobalSearch and runs on a separate Web Engine. ## Vulnerability Type Blind SQL injection ## Vulnerability Description Square 9 GlobalForms versions 6.2.x (and possibly others) are vulnerable to blind SQL injection in the match parameter wihtin the "/frevvo/web/tn/d/users?match=" path. This is a remotely accessible, authenticated function within default Square 9 GlobalForms instances. ## Exploit A proof of concept is available here: https://github.com/hateshape/frevvomapexec ## Versions Square 9 GlobalForms <= 6.2.x ## Attack Type Authenticated, Remote # Default Credentials Username: admin Password: admin@d ## Impact The SQL injection vulnerability can be used to exfiltrate sensitive information from the MSSQL DBMS used with GlobalForms. In every case that was tested the DBMS was running with SYSTEM privileges and was successfully used in conjunction with xp_cmdshell to establish an interactive shell. ## Credit This vulnerability was discovered by Darrell Damstedt <hateshape () gmail com>. ## References CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8820 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists