Kwok Information Server 2.7.3 / 2.8.4 SQL Injection Vulnerability



EKU-ID: 3497 CVE: 2013-5028 OSVDB-ID:
Author: Yogesh Phadtare Published: 2013-09-16 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+##
||                                                                  ||
|| Advisory           : Kwok Information Server Blind Sql Injection ||
|| Affected Version   : 2.7.3 & 2.8.4                               || 
|| Vendor             : http://www.kwoksys.com/index.php            || 
|| Risk               : Medium                                      ||
|| CVE-ID             : 2013-5028                                   || 
|| Tested on Platform : Windows 7                                   ||
##=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+##
  
==========================================================================================================
  
Product Description:
  
Kwok Information Server is an open source IT management system, providing a single application for managing IT assets, software licenses, contracts, issues, contacts. Additional modules include portal, RSS, blogging. (from product home page)
  
==========================================================================================================
  
Vulnerability Description:
  
A Blind SQL Injection vulnerability has been detected in Kwok Information Server. Application failed to sanitize user supplied input in parameters "hardwareType", "hardwareStatus" and "hardwareLocation" of page hardware-index.
  
User must be authenticated to exploit this vulnerability.
  
This vulnerability was tested with Kwok Information Server 2.7.3 and 2.8.4. Other versions may also be affected. 
  
===========================================================================================================
  
Impact:
  
Successful exploitation of this vulnerability will allow a remote authenticated attacker to extract
sensitive and confidential data from the database.
  
===========================================================================================================
  
Proof of Concept:
  
1]
Url: http://10.10.75.59:8080/kwok/IT/hardware-list.dll?cmd=search&hardwareType=49[Inject Payload Here]
  
2]
Url: http://10.10.75.59:8080/kwok/IT/hardware-list.dll?cmd=search&hardwareStatus=0[Inject Payload Here]
  
3]
Url: http://10.10.75.59:8080/kwok/IT/hardware-list.dll?cmd=search&hardwareLocation=0[Inject Payload Here]
  
  
===========================================================================================================
  
Solution:
  
This vulnerability has been fixed in version 2.8.5 of Kwok Information Server.
  
===========================================================================================================
  
Disclosure Timeline:
~Vendor notification: 31st July
~Vendor response: 31st July
~Vendor released updates: 7th August
~Public disclosure: 12th September
===========================================================================================================
  
Advisory discovered by: Yogesh Phadtare  
                        Secur-I Research Group
                        http://securview.com/