AlienVault OSSIM 4.3 SQL Injection

2014.02.07
Credit: Andrew Smith
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

INDEX --------------------------------------- 1. Background 2. Description 3. Affected Products 4. Vulnerability 5. Solution 6. Credit 7. Disclosure Timeline 1. BACKGROUND --------------------------------------- OSSIM by AlienVault is an Open Source Security Information and Event Management (SIEM) platform, comprising a collection of tools designed to aid network administrator in computer security, intrusion detection and prevention. (Wikipedia) 2. DESCRIPTION --------------------------------------- A vulnerability has been discovered in the OSSIM's OCS Inventory web interface due to insufficient input validation before inserting untrusted, user-supplied data into a SQL query. 3. AFFECTED PRODUCTS --------------------------------------- AlienVault OSSIM 4.3 4. VULNERABILITIES --------------------------------------- 4.1 /ocsreports/tele_stats.php 4.11 The associated query was confirmed to be running with 'root' user privileges 5. SOLUTION --------------------------------------- Vendor contacted and confirmed that vulnerable application was removed in recent versions. Upgrade to latest version. http://forums.alienvault.com/discussion/1873/security-advisory-all-alienvault-versions-prior-to-v4-3-3-1 6. CREDIT --------------------------------------- This vulnerability was discovered by Andrew Smith. 7. DISCLOSURE TIMELINE --------------------------------------- 1-18-2014 - Vulnerability Discovered 1-27-2014 - Vendor Informed 2-3-2014 - Public Disclosure

References:

http://forums.alienvault.com/discussion/1873/security-advisory-all-alienvault-versions-prior-to-v4-3-3-1


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top