[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Zenoss getJSONEventsInfo SQL Injection
- To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Zenoss getJSONEventsInfo SQL Injection
- From: Adam Baldwin <adam_baldwin@xxxxxxxxxxxxxxx>
- Date: Thu, 14 Jan 2010 01:13:14 -0800
nGenuity Information Services -- Security Advisory
Advisory ID: NGENUITY-2010-001 - Zenoss getJSONEventsInfo SQL Injection
Application: Zenoss 2.3.3
Vendor: Zenoss
Vendor website: http://www.zenoss.com
Author: Adam Baldwin (adam_baldwin@xxxxxxxxxxxxxxx)
Authentication: Valid user or admin session required
I. BACKGROUND
"Zenoss Core is an award-winning open source IT monitoring product that
effectively manages the configuration, health and performance of
networks, servers and applications through a single, integrated
software package." [1]
II. DETAILS
getJSONEventsInfo contains multiple SQL Injection vulnerabilities due to
improperly
sanitized user provided input. The following URL parameters are injectable:
severity,
state, filter, offset, and count.
Authentication as an admin or regular user is required for successful
exploitation.
A proof of concept request might look like this
/zport/dmd/Events/getJSONEventsInfo?severity=1&state=1&filter=&
offset=0&count=60 into outfile "/tmp/z"
III. REFERENCES
[1] - http://www.zenoss.com
[2] - http://cwe.mitre.org/data/definitions/89.html
IV. VENDOR COMMUNICATION
3.10.2009 - Vulnerability Discovery
8.21.2009 - Requested status from vendor
9.29.2009 - Vendor call (Fix pending)
Copyright (c) 2009 nGenuity Information Services, LLC
http://www.ngenuity.org/wordpress/2010/01/14/ngenuity-2010-001-zenoss-getjsoneventsinfo-sql-injection/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/