##=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+## || || || Exploit Title : Kwok Information Server Blind Sql Injection || || Vendor Homepage : http://www.kwoksys.com/index.php || || Affected Version : 2.7.3 & 2.8.4 || || Risk : Medium || || Tested on : Windows 7 || || CVE-ID : 2013-5028 || || Exploit Author : Yogesh Phadtare || || Secur-I Research Group || || http://securview.com/ || ##=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+##
========================================================================================================== Product Description: Kwok Information Server is an open source IT management system, providing a single application for managing IT assets, software licenses, contracts, issues, contacts. Additional modules include portal, RSS, blogging. (from product home page) ========================================================================================================== Vulnerability Description: A Blind SQL Injection vulnerability has been detected in Kwok Information Server. Application failed to sanitize user supplied input in parameters "hardwareType", "hardwareStatus" and "hardwareLocation" of page hardware-index. User must be authenticated to exploit this vulnerability. This vulnerability was tested with Kwok Information Server 2.7.3 and 2.8.4. Other versions may also be affected. =========================================================================================================== Impact: Successful exploitation of this vulnerability will allow a remote authenticated attacker to extract sensitive and confidential data from the database. =========================================================================================================== Proof of Concept: 1] Url: http://10.10.75.59:8080/kwok/IT/hardware-list.dll?cmd=search&hardwareType=49[Inject Payload Here] 2] Url: http://10.10.75.59:8080/kwok/IT/hardware-list.dll?cmd=search&hardwareStatus=0[Inject Payload Here] 3] Url: http://10.10.75.59:8080/kwok/IT/hardware-list.dll?cmd=search&hardwareLocation=0[Inject Payload Here] =========================================================================================================== Solution: This vulnerability has been fixed in version 2.8.5 of Kwok Information Server. =========================================================================================================== Disclosure Timeline: ~Vendor notification: 31st July ~Vendor response: 31st July ~Vendor released updates: 7th August ~Public disclosure: 12th September ===========================================================================================================
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
