sql injection in Logisense software

From: Akatosh (akatoshat_private)
Date: Tue Jun 04 2002 - 07:59:57 PDT

Next message: Entercept Ricochet Team: "Entercept Ricochet Security Advisory: Solaris snmpdx Vulnerabilities"

Previous message: Wietse Venema: "Re: MIME::Tools Perl module and virus scanners"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Background
----------

"LogiSense Corporation is a leading provider of performance software for
service providers and enterprises. We offer a wide range of low-cost
solutions designed to address common client billing and management,
traffic congestion, network scalability, and latency issues."

LogiSense software tested includes Hawk-i Billing, Hawk-i ASP and DNS
Manager. These softwares are isp/asp billing systems and a web based dns
manager, respectively.

Problem(s)
----------

The login forms are vulnerable to sql injection.

Login: alskdjflawersadf
Password: ' OR ''='

The most obvious implications (besides logging in without a username/pass)
is that this could be leveraged to execute arbitrary commands or steal
customer information.

Vendor Status
-------------

The vendor, Logisense, was informed of the problem on 3/6/02 via their
published 'support@hawk-i.com' email address, again on 3/20/02 via their
support, inquiry, and sales addresses, and some guy named Rich who the
support autoresponse was addressed from.

The guy named Rich replied the next day and said the bug was in the queue
and would be delt with shortly. 3/29/02 I emailed Rich again and asked
whats up and he says it will be addressed ASAP.

So here it is 6/04/02 and it still hasn't been fixed (at least it still
works with their online demos).

Work Around
-----------

If you use Logisense software, don't let yourself be listed on their list
of targe..er, customers. Better yet, don't use software by a vendor who
ignores security bugs for three months.

You can probably edit the login forms (which are in asp) and add something
like

dim regex
set regex = New RegExp
regex.pattern = "[^0-9a-zA-Z]"
regex.Global = True
cleantext = regex.replace(inputtext, "")

I don't have copies of these softwares to try it on so I can not give more
detail.

--
Edward Fahner
Systems Administrator, Quantrex ITG
(540) 442-6677 x222 [aka. Akatosh  .CU.Au, akatoshat_private]
DC2.DwGmL--WT--SksCre+\Cvi+BflA(+r-v+++)NaM++H++$FoR+Ac+++!J+S+U-I--#V+++Q+Tc++E--

Next message: Entercept Ricochet Team: "Entercept Ricochet Security Advisory: Solaris snmpdx Vulnerabilities"
Previous message: Wietse Venema: "Re: MIME::Tools Perl module and virus scanners"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 11:39:07 PDT