what you don't know can hurt you

SolarWinds Storage Manager SQL Injection

SolarWinds Storage Manager SQL Injection
Posted Jan 24, 2012
Authored by Digital Defense, r@b13$ | Site digitaldefense.net

SolarWinds Storage Manager Server suffers from a remote SQL injection vulnerability that will allow for authentication bypass.

tags | advisory, remote, sql injection
MD5 | 8c8cc2d0f83d574e1ff66fdb11d03fc8

SolarWinds Storage Manager SQL Injection

Change Mirror Download
Title
-----
DDIVRT-2011-39 SolarWinds Storage Manager Server SQL Injection
Authentication Bypass

Severity
--------
High

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$

Date Discovered
---------------
December 7, 2011

Vulnerability Description
-------------------------
The 'LoginServlet' page on port 9000 of the SolarWinds Storage Manager
Server is vulnerable to a SQL injection within the 'loginName' field.
An attacker can leverage this flaw to bypass authentication to the
Storage Manager application or to execute arbitrary SQL commands and
extract sensitive information from the backend database using standard
SQL exploitation techniques. Additionally, an attacker may be able to
leverage this flaw to compromise the database server host operating
system.

Solution Description
--------------------
SolarWinds has not yet provided a patch to address the issue. Digital
Defense, Inc. recommends restricting access to the affected port until
an update has been produced by the vendor.

Tested Systems / Software
-------------------------
32-bit SolarWinds Storage Manager Server version 5.1.2 on Windows 2003

Vendor Contact
--------------

Name: SolarWinds
Website: http://www.solarwinds.com/

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    2 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    16 Files
  • 13
    Feb 13th
    19 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    20 Files
  • 20
    Feb 20th
    33 Files
  • 21
    Feb 21st
    11 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close