ASAS Server End User Self Service (EUSS) SQL Injection Vulnerability Network Vulnerability

Summary

The host is running Authenex ASAS and is prone to SQL injection vulnerability.

Impact

Successful exploitation will let attackers to authenex database, dump all the OTP tokens, users information including credentials. Impact Level: Application

Solution

Apply the patc from below link, http://support.authenex.com/ ***** NOTE: Ignore this warning, if above mentioned patch is manually applied. *****

Insight

The flaw is due to an input passed to the 'rgstcode' parameter in 'akeyActivationLogin.do', is not properly sanitised before being used in SQL queries.

Affected

Authenex ASAS version 3.1.0.3 and prior.

References

http://packetstormsecurity.org/files/view/105287/authenex-sql.txt
http://support.authenex.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=125
http://www.securelist.com/en/advisories/46103

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-4801
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

AlienVault OSSIM Multiple Remote Code Execution Vulnerabilities
ATutor < 1.5.1-pl1 Multiple Flaws
Astium VoIP PBX SQL Injection Vulnerability
AWStats configdir parameter arbitrary cmd exec
Atutor AChecker Multiple SQL Injection and XSS Vulnerabilities

Take action and discover your vulnerabilities