[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Vulnerability Report: EMC Centera Universal Access

To: full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Vulnerability Report: EMC Centera Universal Access
From: Aaron Brown <Aaron.Brown@xxxxxxxxxxxx>
Date: Wed, 23 Jul 2008 19:09:27 +0200

adMERITia Vulnerability Report
Vulnerability Information

Vendor: EMC²
Product: Centera Universal Access
Version: CUA4.0_4735.p4

Vulnerability Type: Software Flaw

Vulnerability: SQL Injection

Impact: Attacker can bypass the authentication method and will be logged in as 
an arbitrary user. With specific knowledge of user names it is possible for an 
attacker to choose the user he/she wishes to log in as without a password.

Description: The user name field of the CUA Module Login does not sanitize user 
input allowing for an attacker to run arbitrary SQL code. Through "--" syntax 
it is possible to comment out the password check allowing an attacker to log in 
with the first available user name in the table. After performing this several 
times or by searching through the "Accounts" tab within the CUA Module an 
attacker can gather a list of all users. With this list an attacker can select 
an administrator account and log in with this by simply entering the user name 
followed by "--".

How Vulnerability can be reproduced:
        For an arbitrary account enter the following in the user field: ' --
        For a targeted account enter the following in the user field: 
valid_user_name' --

Release Information
Model: CENTERA_GEN_4
Software Version: CUA4.0_4735.p4
Operating System: Linux i386 V. 2.6.16.21-0.15_VCUA4_0_4735

Fix: (quote from the vendor)
"The remedy for the reported problems has been released on 30 June 2008 and is 
available on EMC Powerlink as CUA 4.0.1 Patch 1, under "Support -> Software 
Download"."
Vendor URL: www.emc.com

Vendor Status:
Vendor was informed of the problem, and was very cooperative in getting a patch 
developed for the problem. However, contact was broken off by the vendor after 
the relevant patch was released. The vendor has not yet published an advisory 
stating the reason for the latest patch or the discovered vulnerability in 
previous versions. This vulnerability was brought to the attention of the 
vendor on May 20, 2008 under the policy of responsible disclosure as documented 
at http://www.wiretrip.net/rfp/policy.html. After cooperating on a patch the 
vendor did not respond to requests to release a public advisory. Therefore we 
have taken the initiative to alert the public through various security 
publications.

Credit for this vulnerability finding should be given to:
Lars Heidelberg, adMERITia GmbH
Aaron Brown, adMERITia GmbH

Disclaimer
The information within this document may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are NO 
warranties with regard to this information. In no event shall the author be 
liable for any consequences whatsoever arising out of or in connection with the 
use or spread of this information. Any use of this information lays within the 
user's responsibility.


Mit freundlichen Grüssen / With kind regards

Aaron Brown

**********************************************************
Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten 
bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen 
Vertreter sein sollten, so beachten Sie bitte, dass jede Form der 
Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts 
dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem 
Absender der E-Mail in Verbindung zu setzen.
This e-mail and any files transmitted with it are confidential and intended 
solely for the use of the individual or organization to whom they are 
addressed. Should you not be the intended addressee of this e-mail or his or 
her representative, please note that publication, replication of the contents 
by any means or further communication of the content is not permissible. Should 
you have received this e-mail in error, please notify the sender.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [SECURITY] [DSA 1615-1] New xulrunner packages fix several vulnerabilities
Next by Date: [Full-disclosure] [SECURITY] [DSA 1540-3] New lighttpd packages fix regression
Previous by thread: [Full-disclosure] [SECURITY] [DSA 1615-1] New xulrunner packages fix several vulnerabilities
Next by thread: [Full-disclosure] [SECURITY] [DSA 1540-3] New lighttpd packages fix regression
Index(es):
- Date
- Thread