Title: GetSolutions GetIntranet Multiple Remote Input Validation Vulnerabilities
Severity: HIGH
Description:
getSolutions getIntranet is a inter-office communication tool designed to facilitate project management and communication. It is implemented with ASP technology and supports an underlying Microsoft SQL database.
Reportedly getSolutions getIntranet is affected by multiple remote input validation vulnerabilities. These issues are caused by a failure of the application to properly sanitize user-supplied input.
Multiple SQL injection vulnerabilities exist in the 'id', 'search', 'category', and 'ctype' parameters of various scripts as well as the username and password fields of the 'checklogin.asp' form and the Name, Surname, and ID Number fields of the 'lostpassword.asp' script. These issues could be leveraged to carry out typical SQL injection attacks based around disclosing and corrupting data as well as to execute arbitrary commands through the xp_cmdshell function of underlying Microsoft SQL Server.
An HTML injection issue exists in the 'Send Message' form. The application fails to sanitize the subject and comments fields of the offending form. Sending a message while including malicious script code in one of the offending fields and attacker can have arbitrary script code executed in the browser of an unsuspecting user that views the message.
It is possible to carry out arbitrary commands in the context of the application by manipulating URI requests to correspond with arbitrary commands issued against arbitrary resources. Exploiting this issue it is possible for arbitrary authenticated users to view and delete the resources, including email, of arbitrary users.
Attackers may upload arbitrary files to the affected computer through the provided functionality. The uploaded file can then be called and executed by an authenticated attacker.
Finally it is possible for a user to arbitrarily set their administration level by manipulating the 'T47' post variable. Unprivileged users have a 'T47' value of 1, updating this to 4 will escalate their privileges to administrator.
These issues may be leveraged to carry out SQL injection attacks, HTML injection attacks, arbitrary file uploads, privilege escalation, command execution in the context of the vulnerable application, and command execution in the context of the affected system.
Affected Products:
- getSolutions getIntranet 2.2.0
References:
- Criolabs <security@criolabs.net>: getIntranet
- getSolutions: getIntranet Home Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
