IP3 Networks IP3 NetAccess Appliance SQL Injection Vulnerability
BID:9858
Info
IP3 Networks IP3 NetAccess Appliance SQL Injection Vulnerability
| Bugtraq ID: | 9858 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 12 2004 12:00AM |
| Updated: | Apr 26 2006 08:26PM |
| Credit: | Discovery of this issue is credited to Syam Yanuar <[email protected]>. |
| Vulnerable: |
IP3 Networks NA75 4.0.34 firmware IP3 Networks IP3 NetAccess - Wireless ISPs & MDUs 4.0.34 firmware IP3 Networks IP3 NetAccess - Wireless ISPs & MDUs 3.1.18 b13 firmware IP3 Networks IP3 NetAccess - Wireless ISPs & MDUs IP3 Networks IP3 NetAccess - Wireless HotZones & Small Hotels 4.0.34 firmware IP3 Networks IP3 NetAccess - Wireless HotZones & Small Hotels 3.1.18 b13 firmware IP3 Networks IP3 NetAccess - Wireless HotZones & Small Hotels IP3 Networks IP3 NetAccess - Wireless HotSpots 4.0.34 firmware IP3 Networks IP3 NetAccess - Wireless HotSpots 3.1.18 b13 firmware IP3 Networks IP3 NetAccess - Wireless HotSpots IP3 Networks IP3 NetAccess - Hospitality 4.0.34 firmware IP3 Networks IP3 NetAccess - Hospitality 3.1.18 b13 firmware IP3 Networks IP3 NetAccess - Hospitality IP3 Networks IP3 NetAccess - Campus and MDUs 4.0.34 firmware IP3 Networks IP3 NetAccess - Campus and MDUs 3.1.18 b13 firmware IP3 Networks IP3 NetAccess - Campus and MDUs |
| Not Vulnerable: | |
Discussion
IP3 Networks IP3 NetAccess Appliance SQL Injection Vulnerability
The IP3 NetAccess Appliance is reported prone to a remote SQL-injection vulnerability. This issue is due to the application's failure to properly sanitize user input.
This issue may allow an attacker to gain full control of the appliance through the network-administration interface. The attacker may also be able to influence database queries to view or modify sensitive information, potentially compromising the system or the database.
The IP3 NetAccess Appliance is reported prone to a remote SQL-injection vulnerability. This issue is due to the application's failure to properly sanitize user input.
This issue may allow an attacker to gain full control of the appliance through the network-administration interface. The attacker may also be able to influence database queries to view or modify sensitive information, potentially compromising the system or the database.
Exploit / POC
IP3 Networks IP3 NetAccess Appliance SQL Injection Vulnerability
No exploit is required to leverage this issue. The following proof of concept has been provided:
https://www.example.com/
login : 'or''='
password : 'or''='
No exploit is required to leverage this issue. The following proof of concept has been provided:
https://www.example.com/
login : 'or''='
password : 'or''='
Solution / Fix
IP3 Networks IP3 NetAccess Appliance SQL Injection Vulnerability
Solution:
This issue has been fixed in firmware version 3.1.18b13.
Update: reports indicate that this issue has resurfaced at some point. Version 4.0.34 of the firmware is also susceptible to this issue.
The reporter of this issue states that fixes are available to address this and other vulnerabilities. Users are encouraged to contact the vendor for further information on obtaining and applying fixes. For support, see the following URI:
http://www.ip3.com/supportoverview.htm
Solution:
This issue has been fixed in firmware version 3.1.18b13.
Update: reports indicate that this issue has resurfaced at some point. Version 4.0.34 of the firmware is also susceptible to this issue.
The reporter of this issue states that fixes are available to address this and other vulnerabilities. Users are encouraged to contact the vendor for further information on obtaining and applying fixes. For support, see the following URI:
http://www.ip3.com/supportoverview.htm
References
IP3 Networks IP3 NetAccess Appliance SQL Injection Vulnerability
References:
References:
- Vendor Home Page (IP3 Networks)
- Multiple vulnerabilities in IP3 Networks 'NetAccess' NA75 appliance ("Moonen, Ralph"