Jan
14
2010
nGenuity Information Services – Security Advisory
Advisory ID: NGENUITY-2010-001 - Zenoss getJSONEventsInfo SQL Injection
Application: Zenoss 2.3.3
Vendor: Zenoss
Vendor website: http://www.zenoss.com
Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)
BID: 37802
I. BACKGROUND
"Zenoss Core is an award-winning open source IT monitoring product that
effectively manages the configuration, health and performance of
networks, servers and applications through a single, integrated
software package." [1]
II. DETAILS
getJSONEventsInfo contains multiple SQL Injection vulnerabilities due to improperly
sanitized user provided input. The following URL parameters are injectable: severity,
state, filter, offset, and count.
Authentication as an admin or regular user is required for successful exploitation.
Depending on the type of attack, it may also be accomplished via Cross-Site Request
Forgery (CSRF).
A proof of concept request might look like this
/zport/dmd/Events/getJSONEventsInfo?severity=1&state=1&filter=&
offset=0&count=60 into outfile "/tmp/z"
III. REFERENCES
[1] - http://www.zenoss.com
IV. VENDOR COMMUNICATION
3.10.2009 - Vulnerability Discovery
8.21.2009 - Requested status from vendor
9.29.2009 - Vendor call (Fix pending)
Update 1.21.2010
This vulnerability was fixed prior to version 2.5.
http://dev.zenoss.org/trac/changeset/15257
Copyright (c) 2009 nGenuity Information Services, LLC
Aug
14
2009
I stumbled upon a fun little sql injection in playfoursquare the other day. I notified them but have not heard back, but it appears it has been addressed so here are the details.
It was possible to inject specially crafted SQL into the cookie "cookieCityID"
which provides
If you set the cookie to the value below the query will take roughly 5-7
seconds to return with this "True" condition (1=1).
(SELECT IF(1=1,BENCHMARK(1000000,SHA1(1)),0))
If you change the logic condition to 1=0 (False) the query returns
immediately demonstrating that blind SQL injection is possible.
(SELECT IF(1=0,BENCHMARK(1000000,SHA1(1)),0))
III. REFERENCES
[1] - http://playfoursquare.com
Copyright (c) 2009 nGenuity Information Services, LLC
Jan
27
2009
nGenuity Information Services – Security Advisory
Advisory ID: NGENUITY-2009-002
Application: Open-Realty 2.5.5
Vendor: Transparent Technologies,INC
Vendor website: http://www.transparent-tech.com/
Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)
I. BACKGROUND
"Open-Realty® is an open source web based real estate listing management
application. It is intended to be both easy to setup and use. Written
in PHP, Open-Realty® is designed to be a fast and flexible tool for
your real estate website" [1]
II. DETAILS
A Blind SQL Injection vulnerability exists within Open-Realty that is
exploitable by a user with admin or agent privileges.
This vulnerability can be exploited by inserting specially crafted SQL
into the edit form field in the image upload feature of Open-Realty.
Successful exploitation of this vulnerability could result in extraction
of data from the Open-Realty database.
III. VENDOR
1.27.2009 - Version 2.5.6 has been released and addresses this vulnerability.
VI. REFERENCES
[1] - http://www.open-realty.org/
Copyright (c) 2008 nGenuity Information Services, LLC
