[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] ManageEngine Password Manager Pro 8.1 SQL Injection vulnerability
From: Blazej Adamczyk <blazej.adamczyk () gmail ! com>
Date: 2015-06-29 23:24:21
Message-ID: F0476408-6C74-490F-A22C-8F75A7A2EEFE () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Title: ManageEngine Password Manager Pro SQL 8.1 Injection vulnerability
Author: Blazej Adamczyk (br0x)
Date: 2015-06-30
Download site: https://www.manageengine.com/products/passwordmanagerpro/download.html
Version: 8.1 and below
Vendor: https://www.manageengine.com/products/passwordmanagerpro/
Vendor Notified: 2015-06-30
Vendor Contact: passwordmanagerpro-support@manageengine.com
Description:
An authenticated user (even the guest user) is able to execute arbitrary SQL code using a \
forged request to the SQLAdvancedALSearchResult.cc. The SQL query is build manually and is not \
escaped properly in the AdvanceSearch.class of AdventNetPassTrix.jar.
Details:
The problem is with escaping the operator when more then one condition is specified in the \
advanced search. The broken url: \
https://localhost:7272/STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc?ANDOR=***HERE_INJECT* \
**&condition_1=Ptrx_Resource@RESOURCENAME&operator_1=CONTAINS&value_1=asd&condition_2=Ptrx_Resou \
rce@RESOURCENAME&operator_2=CONTAINS&value_2=asd2&FLAG=TRUE&COUNT=2&USERID=***USERID***&ADVSEARCH=true&SUBREQUEST=XMLHTTP
--
Regards,
Blazej Adamczyk
blazej.adamczyk@gmail.com
PGP: 0x7423F7B7 (pgp.mit.edu)
Fingerprint=CBAF 608A E20B 06F2 C172 A853 B70E 6F79 7423 F7B7
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQEcBAEBCAAGBQJVkdOqAAoJELcOb3l0I/e35w4IALVJEEr0zst73kYodSdf48eu
piOLbwleMaKF5qS2jsISjct0v8m0pu1rD6CEYhPwWlHE3Mgy83ds998BH+rKYFBQ
HlraOU9M3ozZ28bqWA4bNZm+namYFyA/M8lUYm0iEXCV4iI6eoOgjS0o/PCz/Umk
ImrwwmFljEnIdiRU/4D9mxHaqISypSFz3GLZoHJ/sZePzG663aUofQtbyJ9AIxGu
TEAAm7HuehkZGFlfYU2F3bglNugPghAnpOM3tJe8piapUKb2ls5L/Q0RIzTp23bC
AfQiBS0l2onQzoOnZNZnlGzFR5H5MsiF9/gBJ9p7zJzkUg+3dgFQKqiVsMbywIw=
=XE6j
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic