ManageEngine Password Manager Pro and ManageEngine IT360 SQL Injection Vulnerability
BID:69303
Info
ManageEngine Password Manager Pro and ManageEngine IT360 SQL Injection Vulnerability
| Bugtraq ID: | 69303 |
| Class: | Input Validation Error |
| CVE: |
CVE-2014-3997 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 20 2014 12:00AM |
| Updated: | Sep 02 2014 01:13AM |
| Credit: | Pedro Ribeiro |
| Vulnerable: | |
| Not Vulnerable: | |
Discussion
ManageEngine Password Manager Pro and ManageEngine IT360 SQL Injection Vulnerability
ManageEngine Password Manager Pro and ManageEngine IT360 are prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following products are affected:
ManageEngine Password Manager Pro 5 through 7 build 7003
ManageEngine IT360 8 through 10.1.1 build 10110
ManageEngine Password Manager Pro and ManageEngine IT360 are prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following products are affected:
ManageEngine Password Manager Pro 5 through 7 build 7003
ManageEngine IT360 8 through 10.1.1 build 10110
Exploit / POC
ManageEngine Password Manager Pro and ManageEngine IT360 SQL Injection Vulnerability
Attackers can use a browser to exploit this issue.
The following exploit URIs are available:
www.example.com/MetadataServlet.dat?sv=[SQLi]
www.example.com/console/MetadataServlet.dat?sv=[SQLi]
Attackers can use a browser to exploit this issue.
The following exploit URIs are available:
www.example.com/MetadataServlet.dat?sv=[SQLi]
www.example.com/console/MetadataServlet.dat?sv=[SQLi]
Solution / Fix
ManageEngine Password Manager Pro and ManageEngine IT360 SQL Injection Vulnerability
Solution:
Reportedly the issue is fixed, however Symantec has not confirmed this. Please contact the vendor for more information.
Solution:
Reportedly the issue is fixed, however Symantec has not confirmed this. Please contact the vendor for more information.
References
ManageEngine Password Manager Pro and ManageEngine IT360 SQL Injection Vulnerability
References:
References:
- Password Manager Pro (ManageEngine)