[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Blind SQL Injection in Square 9 GlobalForms <= 6.2.x (CVE-2018-8820)
From: Hate Shape <hateshape () gmail ! com>
Date: 2018-03-27 17:12:11
Message-ID: CAMEbvH9_Q18_u8YYCruf4ONcODVzqihEKyOSKnamPkLwOxTDjw () mail ! gmail ! com
[Download RAW message or body]
# Blind SQL Injection in Square 9 GlobalForms <= 6.2.x (CVE-2018-8820)
## Product Description
GlobalForms ® is Square 9's powerful web forms product. GlobalForms can
live separate of GlobalSearch and runs on a separate Web Engine.
## Vulnerability Type
Blind SQL injection
## Vulnerability Description
Square 9 GlobalForms versions 6.2.x (and possibly others) are vulnerable to
blind SQL injection in the match parameter wihtin the
"/frevvo/web/tn/d/users?match=" path. This is a remotely accessible,
authenticated function within default Square 9 GlobalForms instances.
## Exploit
A proof of concept is available here:
https://github.com/hateshape/frevvomapexec
## Versions
Square 9 GlobalForms <= 6.2.x
## Attack Type
Authenticated, Remote
# Default Credentials
Username: admin
Password: admin@d
## Impact
The SQL injection vulnerability can be used to exfiltrate sensitive
information from the MSSQL DBMS used with GlobalForms. In every case that
was tested the DBMS was running with SYSTEM privileges and was successfully
used in conjunction with xp_cmdshell to establish an interactive shell.
## Credit
This vulnerability was discovered by Darrell Damstedt <hateshape () gmail
com>.
## References
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8820
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic