Advisory ID: hag201478 Product: Pearson eSIS Enterprise Student Information System Vendor: PearsonVue Vulnerable Version(s): Any version Advisory Publication: April 06, 2014 Vendor Notification: March 05, 2014 Public Disclosure: April 06, 2014 Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command [CWE-89] CVE Reference: CVE-2014-1455 Risk Level: Medium CVSSv2 Base Score: 6.4 (AV:N/AC:H/Au:N/C:N/I:P/A:N) Solution Status: Solution not yet released Discovered and Provided: Ali Hussein and Tudor Enache from Help AG Middle East ------------------------------------------------------------------------ ----------------------- about the vendor: Pearson VUE provides a full suite of services from test development to data management, and delivers exams through the world?s most comprehensive and secure network of test centers in 175 countries. Pearson VUE is a business of Pearson (NYSE: PSO; LSE: PSON), the world's leading learning company. Advisory Details: During a Pentest Help AG discovered the following: SQL Injection in password reset. The context in which the unsanitized new password was sent was an ?ALTER USER? statement. We were able to lock/unlock the current user, grant database level roles and guess tablespaces and users by creating custom SQL commands 1) SQL Injection in Pearson eSIS Enterprise Student Information System password reset: CVE-2014-1455 To reproduce the issue any user can access the passwor reset functionality, intercept the request with a local http proxy and change the new password with any payload that is suitable in an ALTER USER oracle statement. By using the above technique hacker could be able to: lock/unlock current account, guess proxy users, guess tablespaces, guess tablespaces, users, roles and alter the authentication type of the current user -------------------------------------------------- ----------------------- Solution: The vendor was notified, contact the vendor for the patch details ------------------------------------------------------------------------ ----------------------- References: [1] help AG middle East http://www.helpag.com/. [2] Peason eSIS http://www.pearsonschoolsystems.com/products/esis/ [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. ------------------------------------------------------------------------ ----------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible.