Vulnerability type: SQL Injection
Product: NetCracker Resource Management System
Affected version: =< 8.0
Patched version: 8.2
Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan
CVE ID: CVE-2015-3423
PROOF OF CONCEPT (SQLi)
SQL Injection (SQLi) vulnerability in multiple pages in NetCracker
Resource Management System and earlier allows authenticated users to
inject SQL statements via multiple parameters.
VULNERABLE PARAMETERS:
- ctrl
- h____%2427
- h____%2439
- param0
- param1
- param2
- param3
- param4
- filter_INSERT_COUNT
- filter_MINOR_FALLOUT
- filter_UPDATE_COUNT
- sort
- sessid
- (etc…)
SAMPLE PAYLOAD
TIMELINE
- 28/02/2015: Vulnerability found
- 13/03/2015: Vendor informed
- 13/03/2015: Vendor responded and acknowledged
- 21/04/2015: Vendor fixed the issue
- 22/07/2015: Public disclosure