Hornbill Supportworks ITSM 1.0.0 - SQL Injection

EDB-ID:

25002




Platform:

PHP

Date:

2013-04-25


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

Summary

 

SQL Injection Vulnerability in ITSM component of Hornbill Supportworks
Application

 

    CVE number: CVE-2013-2594

    Impact: High

    Vendor homepage: http://www.hornbill.com

    Vendor notified: 19/11/2012

    Vendor response: This issue has reportedly been fixed but the vendor
refused to give version details.

    Credit: Joseph Sheridan of ReactionIS

 

Affected Products

 

Supportworks ITSM versions 1.0.0 and possibly other versions

 

Details

 

There is a SQL injection vulnerability in the ITSM component of the
Supportworks Application. The vulnerable file is calldiary.php found in the
/reports folder of the webroot. The following URL demonstrates the issue:

 

 

http://vulnhost.com/reports/calldiary.php?callref=VULN 

 

This attack can be used to take full control of the host by writing a php
webshell document (using mysql 'into outfile') to the webroot.

 

 

Impact

 

An attacker may be able to take full control of the Supportworks server and
execute arbitrary operating-system commands.

 

Solution

 

Upgrade to the latest available ITSM version - contact Vendor for more
details.

 

http://www.reactionpenetrationtesting.co.uk 

http://www.reactionpenetrationtesting.co.uk/research.html 

http://www.reactionpenetrationtesting.co.uk/security-testing-services.html