'[Full-disclosure] DDIVRT-2012-43 SCLIntra Enterprise SQL Injection and Authentication Bypass'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] DDIVRT-2012-43 SCLIntra Enterprise SQL Injection and Authentication Bypass
From:       ddivulnalert <ddivulnalert () ddifrontline ! com>
Date:       2012-05-29 15:13:18
Message-ID: C2AE6D03-DE60-4068-AB12-7B8F4E5646FB () ddifrontline ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Title
-----
DDIVRT-2012-43 SCLIntra Enterprise SQL Injection and Authentication =
Bypass

Severity
--------
High

Date Discovered
---------------
April 2, 2012

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$

Vulnerability Description
-------------------------
Multiple SQL injection vectors and an authentication bypass were =
discovered in SCLIntra Enterprise. An attacker can leverage this flaw to =
bypass authentication to the application or to execute arbitrary SQL =
commands and extract information from the backend database using =
standard SQL exploitation techniques.

Solution Description
--------------------
The vendor has indicated that the current version of SCLIntra Enterprise =
is version 6 and does not contain the vulnerabilities reported by DDI. =
Any SCLIntra Enterprise customers still using versions prior to 6 should =
contact SCLogic at 1.888.700.7027 to remedy the vulnerabilities (a =
current SCLogic support contract is required).

Tested Systems / Software
-------------------------
SCLogic SCLIntra Enterprise 5.5.2 on Windows 2003

Vendor Contact
--------------
Vendor Name: SCLogic
Vendor Website: http://www.sclogic.com/=

[Attachment #5 (unknown)]

<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space; ">  
	
	<p style="margin-bottom: 0in"><font face="Courier New, monospace"><font \
size="2">Title</font></font></p><p style="margin-bottom: 0in"><font face="Courier New, \
monospace"><font size="2">-----</font></font></p><p align="JUSTIFY" style="margin-bottom: \
0in"><font face="Courier New, monospace"><font size="2"><span style="font-weight: \
normal">DDIVRT-2012-43</span></font></font><font face="Courier New, monospace"><font \
size="2"><b> </b></font></font><font face="Courier New, monospace"><font size="2"><span \
style="font-weight: normal">SCLIntra Enterprise SQL Injection and Authentication \
Bypass</span></font></font></p><p style="margin-bottom: 0in"><br> </p><p style="margin-bottom: \
0in"><font face="Courier New, monospace"><font size="2">Severity</font></font></p><p \
style="margin-bottom: 0in"><font face="Courier New, monospace"><font \
size="2">--------</font></font></p><p style="margin-bottom: 0in"><font face="Courier New, \
monospace"><font size="2">High</font></font></p><p style="margin-bottom: 0in"><br> </p><p \
style="margin-bottom: 0in"><font face="Courier New, monospace"><font size="2">Date \
Discovered</font></font></p><p style="margin-bottom: 0in"><font face="Courier New, \
monospace"><font size="2">---------------</font></font></p><p align="JUSTIFY" \
style="margin-bottom: 0in; font-weight: normal"><font face="Courier New, monospace"><font \
size="2">April 2, 2012</font></font></p><p style="margin-bottom: 0in"><br>
</p><p style="margin-bottom: 0in"><font face="Courier New, monospace"><font size="2">Discovered
By</font></font></p><p style="margin-bottom: 0in"><font face="Courier New, monospace"><font \
size="2">-------------</font></font></p><p style="margin-bottom: 0in"><font face="Courier New, \
monospace"><font size="2">Digital Defense, Inc. Vulnerability Research Team</font></font></p><p \
style="margin-bottom: 0in"><font face="Courier New, monospace"><font size="2">Credit: \
r@b13$</font></font></p><p style="margin-bottom: 0in"><br> </p><p style="margin-bottom: \
0in"><font face="Courier New, monospace"><font size="2">Vulnerability \
Description</font></font></p><p style="margin-bottom: 0in"><font face="Courier New, \
monospace"><font size="2">-------------------------</font></font></p><p style="margin-bottom: \
0in"><font face="Courier New, sans-serif"><font size="2">Multiple SQL injection vectors and an \
authentication bypass were discovered in SCLIntra Enterprise. An attacker can leverage this \
flaw to bypass authentication to the application or to execute arbitrary SQL
commands and extract information from the backend database using
standard SQL exploitation techniques.</font></font></p><p style="margin-bottom: 0in"><br>
</p><p style="margin-bottom: 0in"><font face="Courier New, monospace"><font size="2">Solution
Description</font></font></p><p style="margin-bottom: 0in"><font face="Courier New, \
monospace"><font size="2">--------------------</font></font></p><p align="JUSTIFY" \
style="margin-bottom: 0in; font-weight: normal"><font color="#000000"><font face="Courier New, \
sans-serif"><font size="2">The vendor has indicated that the current version of SCLIntra \
Enterprise is version 6 and does not contain the vulnerabilities reported by
DDI. Any SCLIntra Enterprise customers still using versions prior to
6 should contact SCLogic at 1.888.700.7027 to remedy the
vulnerabilities (a current SCLogic support contract is required). </font></font></font>
</p><p style="margin-bottom: 0in"><br>
</p><p style="margin-bottom: 0in"><font face="Courier New, monospace"><font size="2">Tested
Systems / Software</font></font></p><p style="margin-bottom: 0in"><font face="Courier New, \
monospace"><font size="2">-------------------------</font></font></p><p align="JUSTIFY" \
style="margin-bottom: 0in; font-weight: normal"><font face="Courier New, monospace"><font \
size="2">SCLogic SCLIntra Enterprise 5.5.2 on Windows 2003</font></font></p><p \
style="margin-bottom: 0in"><br> </p><p style="margin-bottom: 0in"><font face="Courier New, \
monospace"><font size="2">Vendor Contact</font></font></p><p style="margin-bottom: 0in"><font \
face="Courier New, monospace"><font size="2">--------------</font></font></p><p align="JUSTIFY" \
style="margin-bottom: 0in; font-weight: normal"><font face="Courier New, monospace"><font \
                size="2">Vendor
Name: SCLogic</font></font></p><p align="JUSTIFY" style="margin-bottom: 0in; font-weight: \
                normal"><font face="Courier New, monospace"><font size="2">Vendor
Website: <a href="http://www.sclogic.com/">http://www.sclogic.com/</a></font></font></p></body></html>




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic