OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Akatosh (akatoshrains.net)
Date: Tue Jun 04 2002 - 09:59:57 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Background
    ----------

    "LogiSense Corporation is a leading provider of performance software for
    service providers and enterprises. We offer a wide range of low-cost
    solutions designed to address common client billing and management,
    traffic congestion, network scalability, and latency issues."

    LogiSense software tested includes Hawk-i Billing, Hawk-i ASP and DNS
    Manager. These softwares are isp/asp billing systems and a web based dns
    manager, respectively.

    Problem(s)
    ----------

    The login forms are vulnerable to sql injection.

    Login: alskdjflawersadf
    Password: ' OR ''='

    The most obvious implications (besides logging in without a username/pass)
    is that this could be leveraged to execute arbitrary commands or steal
    customer information.

    Vendor Status
    -------------

    The vendor, Logisense, was informed of the problem on 3/6/02 via their
    published 'supporthawk-i.com' email address, again on 3/20/02 via their
    support, inquiry, and sales addresses, and some guy named Rich who the
    support autoresponse was addressed from.

    The guy named Rich replied the next day and said the bug was in the queue
    and would be delt with shortly. 3/29/02 I emailed Rich again and asked
    whats up and he says it will be addressed ASAP.

    So here it is 6/04/02 and it still hasn't been fixed (at least it still
    works with their online demos).

    Work Around
    -----------

    If you use Logisense software, don't let yourself be listed on their list
    of targe..er, customers. Better yet, don't use software by a vendor who
    ignores security bugs for three months.

    You can probably edit the login forms (which are in asp) and add something
    like

    dim regex
    set regex = New RegExp
    regex.pattern = "[^0-9a-zA-Z]"
    regex.Global = True
    cleantext = regex.replace(inputtext, "")

    I don't have copies of these softwares to try it on so I can not give more
    detail.

    --
    Edward Fahner
    Systems Administrator, Quantrex ITG
    (540) 442-6677 x222 [aka. Akatosh  .CU.Au, akatoshrains.net]
    DC2.DwGmL--WT--SksCre+\Cvi+BflA(+r-v+++)NaM++H++$FoR+Ac+++!J+S+U-I--#V+++Q+Tc++E--