Hornbill Supportworks ITSM 1.0.0 – SQL Injection

• Exploit Database
• 33 阅读

• 作者： Joseph Sheridan
  日期： 2013-04-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/25002/

• Summary
  
   
  
  SQL Injection Vulnerability in ITSM component of Hornbill Supportworks
  Application
  
   
  
  CVE number: CVE-2013-2594
  
  Impact: High
  
  Vendor homepage: http://www.hornbill.com
  
  Vendor notified: 19/11/2012
  
  Vendor response: This issue has reportedly been fixed but the vendor
  refused to give version details.
  
  Credit: Joseph Sheridan of ReactionIS
  
   
  
  Affected Products
  
   
  
  Supportworks ITSM versions 1.0.0 and possibly other versions
  
   
  
  Details
  
   
  
  There is a SQL injection vulnerability in the ITSM component of the
  Supportworks Application. The vulnerable file is calldiary.php found in the
  /reports folder of the webroot. The following URL demonstrates the issue:
  
   
  
   
  
  http://vulnhost.com/reports/calldiary.php?callref=VULN 
  
   
  
  This attack can be used to take full control of the host by writing a php
  webshell document (using mysql 'into outfile') to the webroot.
  
   
  
   
  
  Impact
  
   
  
  An attacker may be able to take full control of the Supportworks server and
  execute arbitrary operating-system commands.
  
   
  
  Solution
  
   
  
  Upgrade to the latest available ITSM version - contact Vendor for more
  details.
  
   
  
  http://www.reactionpenetrationtesting.co.uk 
  
  http://www.reactionpenetrationtesting.co.uk/research.html 
  
  http://www.reactionpenetrationtesting.co.uk/security-testing-services.html