Kwok Information Server Blind Sql Injection

2013-09-13 / 2013-10-20

Credit: Yogesh Phadtare

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2013-5028

CWE: CWE-89

CVSS Base Score: 6.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 8/10

Exploit range: Remote

Attack complexity: Low

Authentication: Single time

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

##=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+##
||                                                                  ||
|| Advisory           : Kwok Information Server Blind Sql Injection ||
|| Affected Version   : 2.7.3 & 2.8.4                               ||
|| Vendor             : http://www.kwoksys.com/index.php            ||
|| Risk               : Medium                                      ||
|| CVE-ID             : 2013-5028                                   ||
|| Tested on Platform : Windows 7                                   ||
##=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+##
 
============
 
Product Description:
 
Kwok Information Server is an open source IT management system, providing a single application for managing IT assets, software licenses, contracts, issues, contacts. Additional modules include portal, RSS, blogging. (from product home page)
 
============
 
Vulnerability Description:
 
A Blind SQL Injection vulnerability has been detected in Kwok Information Server. Application failed to sanitize user supplied input in parameters "hardwareType", "hardwareStatus" and "hardwareLocation" of page hardware-index.
 
User must be authenticated to exploit this vulnerability.
 
This vulnerability was tested with Kwok Information Server 2.7.3 and 2.8.4. Other versions may also be affected.
 
=============
 
Impact:
 
Successful exploitation of this vulnerability will allow a remote authenticated attacker to extract
sensitive and confidential data from the database.
 
=============
 
Proof of Concept:
 
1]
Url: http://10.10.75.59:8080/kwok/IT/hardware-list.dll?cmd=search&hardwareType=49[Inject Payload Here]
 
2]
Url: http://10.10.75.59:8080/kwok/IT/hardware-list.dll?cmd=search&hardwareStatus=0[Inject Payload Here]
 
3]
Url: http://10.10.75.59:8080/kwok/IT/hardware-list.dll?cmd=search&hardwareLocation=0[Inject Payload Here]
 
 
=============
 
Solution:
 
This vulnerability has been fixed in version 2.8.5 of Kwok Information Server.
 
=============
 
Disclosure Timeline:
~Vendor notification: 31st July
~Vendor response: 31st July
~Vendor released updates: 7th August
~Public disclosure: 12th September
===========================================================================================================
 
Advisory discovered by: Yogesh Phadtare 
                        Secur-I Research Group
                        http://securview.com/

References:

http://www.kwoksys.com/index.php

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Kwok Information Server Blind Sql Injection

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.