Title ----- DDIVRT-2012-45 SolarWinds Network Performance Monitor Blind SQL Injection Severity -------- High Date Discovered --------------- April 26, 2012 Discovered By ------------- Digital Defense, Inc. Vulnerability Research Team Credit: r@b13$ Vulnerability Description ------------------------- The SolarWinds Orion Network Performance Monitor 9.1 and prior contains a blind SQL injection flaw on the 'Login.asp' page. An attacker can leverage this flaw to execute arbitrary SQL commands and extract sensitive information from the backend database using standard blind SQL injection exploitation techniques. This vulnerability applies to installations that have been upgraded from version 9.1 or prior. Fresh installations and migrations starting with version 9.5 do not contain this vulnerability. Solution Description -------------------- SolarWinds has addressed the issue in releases subsequent to and including version 9.5 and has provided the following options to resolve the issue: 1. Upgrade to the latest version of Network Performance Monitor 2. Manually delete the 'Login.asp' page from the vulnerable installation the vulnerable page has not been used for several versions but does not get removed through the application of upgrades. Please contact SolarWinds support for assistance in addressing the issue. Tested Systems / Software ------------------------- SolarWinds Orion Network Performance Monitor 9.1 Vendor Contact -------------- Vendor Name: SolarWinds Vendor Website: http://www.solarwinds.com/