CVE-2019-17602 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Severity

98%

Complexity

39%

Confidentiality

98%

An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.

An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.

CVSS 3.1 Base Score 9.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P).

Demo Examples

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

In 2008, a large number of web servers were compromised using the same SQL injection attack string. This single string worked against many different programs. The SQL injection was then used to modify the web sites to serve malicious code.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

The following code dynamically constructs and executes a SQL query that searches for items matching a specified name. The query restricts the items displayed to those where owner matches the user name of the currently-authenticated user.


               
...

The query that this code intends to execute follows:


               
SELECT * FROM items WHERE owner = <userName> AND itemname = <itemName>;

However, because the query is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if itemName does not contain a single-quote character. If an attacker with the user name wiley enters the string:


               
name' OR 'a'='a

for itemName, then the query becomes the following:


               
SELECT * FROM items WHERE owner = 'wiley' AND itemname = 'name' OR 'a'='a';

The addition of the:


               
OR 'a'='a

condition causes the WHERE clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query:


               
SELECT * FROM items;

This simplification of the query allows the attacker to bypass the requirement that the query only return items owned by the authenticated user; the query now returns all entries stored in the items table, regardless of their specified owner.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

This code intends to print a message summary given the message ID.


               
mysql_query("SELECT MessageID, Subject FROM messages WHERE MessageID = '$id'");

The programmer may have skipped any input validation on $id under the assumption that attackers cannot modify the cookie. However, this is easy to do with custom client code or even in the web browser.

While $id is wrapped in single quotes in the call to mysql_query(), an attacker could simply change the incoming mid cookie to:


               
1432' or '1' = '1

This would produce the resulting query:


               
SELECT MessageID, Subject FROM messages WHERE MessageID = '1432' or '1' = '1'

Not only will this retrieve message number 1432, it will retrieve all other messages.

In this case, the programmer could apply a simple modification to the code to eliminate the SQL injection:


               
mysql_query("SELECT MessageID, Subject FROM messages WHERE MessageID = '$id'");

However, if this code is intended to support multiple users with different message boxes, the code might also need an access control check (CWE-285) to ensure that the application user has the permission to see that message.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

This example attempts to take a last name provided by a user and enter it into a database.


               
$query = "INSERT INTO last_names VALUES('$userKey', '$name')";# ensure only letters, hyphens and apostrophe are allowed

While the programmer applies a whitelist to the user input, it has shortcomings. First of all, the user is still allowed to provide hyphens which are used as comment structures in SQL. If a user specifies -- then the remainder of the statement will be treated as a comment, which may bypass security logic. Furthermore, the whitelist permits the apostrophe which is also a data / command separator in SQL. If a user supplies a name with an apostrophe, they may be able to alter the structure of the whole statement and even change control flow of the program, possibly accessing or modifying confidential information. In this situation, both the hyphen and apostrophe are legitimate characters for a last name and permitting them is required. Instead, a programmer may want to use a prepared statement or apply an encoding routine to the input to prevent any data / directive misinterpretations.

Overview

Type

ZohoCorp ManageEngine OpManager

First reported 5 years ago

2019-10-15 21:15:00

Last updated 5 years ago

2019-10-17 14:11:00

Affected Software

ZohoCorp ManageEngine OpManager -

ZohoCorp ManageEngine OpManager 12.4

12.4

ZohoCorp ManageEngine OpManager 12.4 124000

12.4

ZohoCorp ManageEngine OpManager 12.4 124011

12.4

ZohoCorp ManageEngine OpManager 12.4 124012

12.4

ZohoCorp ManageEngine OpManager 12.4 124013

12.4

ZohoCorp ManageEngine OpManager 12.4 124014

12.4

ZohoCorp ManageEngine OpManager 12.4 124015

12.4

ZohoCorp ManageEngine OpManager 12.4 124016

12.4

ZohoCorp ManageEngine OpManager 12.4 124022

12.4

ZohoCorp ManageEngine OpManager 12.4 124023

12.4

ZohoCorp ManageEngine OpManager 12.4 124024

12.4

ZohoCorp ManageEngine OpManager 12.4 124025

12.4

ZohoCorp ManageEngine OpManager 12.4 124026

12.4

ZohoCorp ManageEngine OpManager 12.4 124027

12.4

ZohoCorp ManageEngine OpManager 12.4 124030

12.4

ZohoCorp ManageEngine OpManager 12.4 124033

12.4

ZohoCorp ManageEngine OpManager 12.4 124037

12.4

ZohoCorp ManageEngine OpManager 12.4 124039

12.4

ZohoCorp ManageEngine OpManager 12.4 124040

12.4

ZohoCorp ManageEngine OpManager 12.4 124041

12.4

ZohoCorp ManageEngine OpManager 12.4 124042

12.4

ZohoCorp ManageEngine OpManager 12.4 124043

12.4

ZohoCorp ManageEngine OpManager 12.4 124051

12.4

ZohoCorp ManageEngine OpManager 12.4 124053

12.4

ZohoCorp ManageEngine OpManager 12.4 124054

12.4

ZohoCorp ManageEngine OpManager 12.4 124056

12.4

ZohoCorp ManageEngine OpManager 12.4 124058

12.4

ZohoCorp ManageEngine OpManager 12.4 124065

12.4

ZohoCorp ManageEngine OpManager 12.4 124066

12.4

ZohoCorp ManageEngine OpManager 12.4 124067

12.4

ZohoCorp ManageEngine OpManager 12.4 124069

12.4

ZohoCorp ManageEngine OpManager 12.4 124070

12.4

ZohoCorp ManageEngine OpManager 12.4 124071

12.4

ZohoCorp ManageEngine OpManager 12.4 124074

12.4

ZohoCorp ManageEngine OpManager 12.4 124075

12.4

ZohoCorp ManageEngine OpManager 12.4 124081

12.4

ZohoCorp ManageEngine OpManager 12.4 124082

12.4

ZohoCorp ManageEngine OpManager 12.4 124085

12.4

ZohoCorp ManageEngine OpManager 12.4 124086

12.4

ZohoCorp ManageEngine OpManager 12.4 124087

12.4

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.