adMERITia Vulnerability Report Vulnerability Information Vendor: EMC² Product: Centera Universal Access Version: CUA4.0_4735.p4 Vulnerability Type: Software Flaw Vulnerability: SQL Injection Impact: Attacker can bypass the authentication method and will be logged in as anarbitrary user. With specific knowledge of user names it is possible for an attackerto choose the user he/she wishes to log in as without a password. Description: The user name field of the CUA Module Login does not sanitize user inputallowing for an attacker to run arbitrary SQL code. Through "--" syntax it ispossible to comment out the password check allowing an attacker to log in with thefirst available user name in the table. After performing this several times or bysearching through the "Accounts" tab within the CUA Module an attacker can gather alist of all users. With this list an attacker can select an administrator account andlog in with this by simply entering the user name followed by "--". How Vulnerability can be reproduced: For an arbitrary account enter the following in the user field: ' -- For a targeted account enter the following in the user field:valid_user_name' -- Release Information Model: CENTERA_GEN_4 Software Version: CUA4.0_4735.p4 Operating System: Linux i386 V. 2.6.16.21-0.15_VCUA4_0_4735 Fix: (quote from the vendor) "The remedy for the reported problems has been released on 30 June 2008 and isavailable on EMC Powerlink as CUA 4.0.1 Patch 1, under "Support -> SoftwareDownload"." Vendor URL: www.emc.com Vendor Status: Vendor was informed of the problem, and was very cooperative in getting a patchdeveloped for the problem. However, contact was broken off by the vendor after therelevant patch was released. The vendor has not yet published an advisory stating thereason for the latest patch or the discovered vulnerability in previous versions.This vulnerability was brought to the attention of the vendor on May 20, 2008 underthe policy of responsible disclosure as documented athttp://www.wiretrip.net/rfp/policy.html. After cooperating on a patch the vendor didnot respond to requests to release a public advisory. Therefore we have taken theinitiative to alert the public through various security publications. Credit for this vulnerability finding should be given to: Lars Heidelberg, adMERITia GmbH Aaron Brown, adMERITia GmbH Disclaimer The information within this document may change without notice. Use of thisinformation constitutes acceptance for use in an AS IS condition. There are NOwarranties with regard to this information. In no event shall the author be liablefor any consequences whatsoever arising out of or in connection with the use orspread of this information. Any use of this information lays within the user'sresponsibility. Mit freundlichen Grssen / With kind regards Aaron Brown ********************************************************** Der Inhalt dieser E-Mail ist ausschlielich fr den bezeichneten Adressaten bestimmt.Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter seinsollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Verffentlichung,Vervielfltigung oder Weitergabe des Inhalts dieser E-Mail unzulssig ist. Wir bittenSie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Thise-mail and any files transmitted with it are confidential and intended solely for theuse of the individual or organization to whom they are addressed. Should you not bethe intended addressee of this e-mail or his or her representative, please note thatpublication, replication of the contents by any means or further communication of thecontent is not permissible. Should you have received this e-mail in error, pleasenotify the sender.