NetCracker Resource Management 8.0 - SQL Injection Vulnerability

2015-07-27T00:00:00
ID SECURITYVULNS:DOC:32364
Type securityvulns
Reporter Securityvulns
Modified 2015-07-27T00:00:00

Description

Vulnerability type: SQL Injection

Vendor: http://www.netcracker.com/

Product: NetCracker Resource Management System

Affected version: =< 8.0

Patched version: 8.2

Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan

CVE ID: CVE-2015-3423

PROOF OF CONCEPT (SQLi)

SQL Injection (SQLi) vulnerability in multiple pages in NetCracker Resource Management System and earlier allows authenticated users to inject SQL statements via multiple parameters.

VULNERABLE PARAMETERS:

  • ctrl
  • h____%2427
  • h____%2439
  • param0
  • param1
  • param2
  • param3
  • param4
  • filter_INSERT_COUNT
  • filter_MINOR_FALLOUT
  • filter_UPDATE_COUNT
  • sort
  • sessid
  • (etc...)

SAMPLE PAYLOAD

  • '

TIMELINE

  • 28/02/2015: Vulnerability found
  • 13/03/2015: Vendor informed
  • 13/03/2015: Vendor responded and acknowledged
  • 21/04/2015: Vendor fixed the issue
  • 22/07/2015: Public disclosure