ManageEngine Password Manager Pro 8.1 SQL Injection

2015.07.06
Credit: Blazej Adamczyk
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

Title: ManageEngine Password Manager Pro SQL 8.1 Injection vulnerability Author: Blazej Adamczyk (br0x) Date: 2015-06-30 Download site: https://www.manageengine.com/products/passwordmanagerpro/download.html Version: 8.1 and below Vendor: https://www.manageengine.com/products/passwordmanagerpro/ Vendor Notified: 2015-06-30 Vendor Contact: passwordmanagerpro-support@manageengine.com Description: An authenticated user (even the guest user) is able to execute arbitrary SQL code using a forged request to the SQLAdvancedALSearchResult.cc. The SQL query is build manually and is not escaped properly in the AdvanceSearch.class of AdventNetPassTrix.jar. Details: The problem is with escaping the operator when more then one condition is specified in the advanced search. The broken url: https://localhost:7272/STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc?ANDOR=***HERE_INJECT***&condition_1=Ptrx_Resource@RESOURCENAME&operator_1=CONTAINS&value_1=asd&condition_2=Ptrx_Resource@RESOURCENAME&operator_2=CONTAINS&value_2=asd2&FLAG=TRUE&COUNT=2&USERID=***USERID***&ADVSEARCH=true&SUBREQUEST=XMLHTTP -- Regards, Blazej Adamczyk blazej.adamczyk@gmail.com PGP: 0x7423F7B7 (pgp.mit.edu) Fingerprint=CBAF 608A E20B 06F2 C172 A853 B70E 6F79 7423 F7B7

References:

https://www.manageengine.com/products/passwordmanagerpro/download.html
https://www.manageengine.com/products/passwordmanagerpro/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top