full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] Zenoss getJSONEventsInfo S

[Full-disclosure] Zenoss getJSONEventsInfo SQL Injection

From: Adam Baldwin <adam_baldwin_at_nospam>
Date: Thu Jan 14 2010 - 09:13:14 GMT
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com


nGenuity Information Services -- Security Advisory Advisory ID: NGENUITY-2010-001 - Zenoss getJSONEventsInfo SQL Injection Application: Zenoss 2.3.3 Vendor: Zenoss Vendor website: http://www.zenoss.com Author: Adam Baldwin (adam_baldwin@ngenuity-is.com) Authentication: Valid user or admin session required I. BACKGROUND "Zenoss Core is an award-winning open source IT monitoring product that effectively manages the configuration, health and performance of networks, servers and applications through a single, integrated software package." [1]

II. DETAILS
    getJSONEventsInfo contains multiple SQL Injection vulnerabilities due to improperly     sanitized user provided input. The following URL parameters are injectable: severity,     state, filter, offset, and count.

    Authentication as an admin or regular user is required for successful exploitation.

    A proof of concept request might look like this /zport/dmd/Events/getJSONEventsInfo?severity=1&state=1&filter=& offset=0&count=60 into outfile "/tmp/z" III. REFERENCES
[1] - http://www.zenoss.com
[2] - http://cwe.mitre.org/data/definitions/89.html
IV. VENDOR COMMUNICATION 3.10.2009 - Vulnerability Discovery 8.21.2009 - Requested status from vendor 9.29.2009 - Vendor call (Fix pending)

Copyright (c) 2009 nGenuity Information Services, LLC

http://www.ngenuity.org/wordpress/2010/01/14/ngenuity-2010-001-zenoss-getjsoneventsinfo-sql-injection/



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/