[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DDIVRT-2012-43 SCLIntra Enterprise SQL Injection and Authentication Bypass

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: DDIVRT-2012-43 SCLIntra Enterprise SQL Injection and Authentication Bypass
From: ddivulnalert@xxxxxxxxxxxxxxx
Date: Tue, 29 May 2012 15:25:52 GMT

Title
-----
DDIVRT-2012-43 SCLIntra Enterprise SQL Injection and Authentication Bypass

Severity
--------
High

Date Discovered
---------------
April 2, 2012

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$

Vulnerability Description
-------------------------
Multiple SQL injection vectors and an authentication bypass were discovered in 
SCLIntra Enterprise. An attacker can leverage this flaw to bypass 
authentication to the application or to execute arbitrary SQL commands and 
extract information from the backend database using standard SQL exploitation 
techniques.

Solution Description
--------------------
The vendor has indicated that the current version of SCLIntra Enterprise is 
version 6 and does not contain the vulnerabilities reported by DDI. Any 
SCLIntra Enterprise customers still using versions prior to 6 should contact 
SCLogic at 1.888.700.7027 to remedy the vulnerabilities (a current SCLogic 
support contract is required). 

Tested Systems / Software
-------------------------
SCLogic SCLIntra Enterprise 5.5.2 on Windows 2003

Vendor Contact
--------------
Vendor Name: SCLogic
Vendor Website: http://www.sclogic.com/

Prev by Date: [ MDVSA-2012:084 ] ncpfs
Next by Date: [SECURITY] [DSA 2480-2] request-tracker3.8 regression update
Previous by thread: [ MDVSA-2012:084 ] ncpfs
Next by thread: [SECURITY] [DSA 2480-2] request-tracker3.8 regression update
Index(es):
- Date
- Thread