Hosting Controller addgatewaysettings.asp and ipmanager.asp SQL Injection Vulnerability
2006 February 7 15:35 GMT
Hosting Controller versions 6.1 hotfix 2.8 and possibly prior contain a SQL injection vulnerability that could allow a remote, authenticated attacker to execute arbitrary SQL commands on the targeted system.
The vulnerability exists due to a lack of input validation in the addgatewaysettings.asp and ipmanager.asp scripts. A remote, authenticated attacker could exploit this vulnerability by injecting and executing arbitrary SQL commands on a targeted system. The SQL code executes with privileges of the database account used by the targeted web service.
Exploit code is available.
Patches are unavailable.
Indicators of Compromise
Systems running Hosting Controller versions 6.1 hotfix 2.8 and possibly prior are vulnerable.
A remote, authenticated attacker could exploit this vulnerability via a crafted URL to execute arbitrary SQL commands, allowing the attacker to view or possibly change sensitive data. The vulnerability exists because the addgatewaysettings.asp script fails to sanitize input to the GatewayID parameter and the ipmanager.asp script fails to sanitize input to the IP parameter. The attacker could also exploit this vulnerability to delete the tblgatewaycustomize and tblipmanager fields.
Since exploitation requires authentication as a reseller, the likelihood of attack is low. Administrators can reduce the impact of this vulnerability by ensuring database accounts that link web servers with the back end database run with minimum privileges.
Attackers can also exploit this vulnerability by convincing a user that authenticated to Hosting Controller to follow a malicious link with imbedded SQL code. This approach is harder to stage, but does not require the attacker to authenticate.
Administrators are advised to contact the vendor regarding update information.
Administrators are advised to restrict access to trusted users.
Users are advised to not follow untrusted links.
Administrators are advised to use a minimally privileged database account to handle requests from the web server.
Administrators are advised to monitor the system for signs of exploitation.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.