what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

INFOR EAM 11.0 Build 201410 SQL Injection

INFOR EAM 11.0 Build 201410 SQL Injection
Posted May 15, 2017
Authored by Yoroi

INFOR EAM version 11.0 build 201410 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2017-7952
SHA-256 | 71fef17ecd1c6e2d315557a38a116f6cf61ae651c4a2c30fb6f539d179fe0115
Download | Favorite | View

INFOR EAM 11.0 Build 201410 SQL Injection

Change Mirror Download
SQL injection in INFOR EAM V11.0 Build 201410 search fields (web/base/..) 
via filtervalue parameter
-------------------
Assigned CVE: CVE-2017-7952

Reproduction steps:
-------------------
1. Log in with your EAM account
2. Go to any page with a search or filter field in it (for example 
web/base/WSJOBS.xmlhttp) 
3. Make any search and intercept the request with a proxy 
4. In the intercepted request, replace the value of "filteroperator" 
parameter with IN.
5. The "filtervalue" become vulnerable to SQL Injection

Example:
-------------------
URL:http://<EAM_IP>/web/base/WSJOBS.xmlhttp
POST DATA: 
GRID_ID=<ID>&GRID_NAME=WSJOBS&DATASPY_ID=<ID>&USER_FUNCTION_NAME=WSJOBS&SYSTEM_FUNCTION_NAME=WSJOBS&CURRENT_TAB_NAME=LST&COMPONENT_INFO_TYPE=DATA_ONLY&filterfields=<field>&filteroperator=IN&filtervalue=<injection 
point>

Exploitability
-------------------
Since the SQL injection vulnerability is available for any logged users, an 
attacker needs a valid credential to exploit that vulnerability. By 
exploiting that SQL Injection the attacker could obtain any available data 
(even if they donat belongs directly to him), eventually deleting and 
replacing data as well.

Impact
-------------------
This vulnerability allows full database access. It includes sensitive 
information that normally should be accessed by specific users.
An attacker could dump the user table, which contains usernames and 
password hashes, and proceed to bruteforcing passwords offline and could 
possibly obtain administrative credentials, or could access private files 
or personal details such as: telephone numbers, physical address and 
private assets.
Obtaining administrative credentials would allow an attacker to perform 
actions like: add or deleting users, jobs, and everything else an admin can 
do.
By having access to sensible information the attacker could eventually 
pivoting them to perform further attacks on different target assets.

Disclosure timeline
-------------------

26.04.2017 Vulnerability reported to vendor
15.05.2017 Advisory published


Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    23 Files
  • 25
    Apr 25th
    16 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close