Vtls-Virtua 'InfoStation.cgi' Multiple SQL Injection Vulnerabilities Network Vulnerability

Summary

This host is installed with vtls-Virtua and is prone to multiple sql injection vulnerabilities.

Impact

Successful exploitation will allow remote attackers to execute arbitrary HTML and script code and SQL statements on the vulnerable system, which may leads to access or modify data in the underlying database. Impact Level: Application

Solution

Upgrade to version 2014.1.1 or 2013.2.4 or higher, for updates refer to http://www.vtls.com/products/vtls-virtua

Insight

Flaw is due to the /web_reports/cgi-bin/InfoStation.cgi script not properly sanitizing user-supplied input to the 'username' and 'password' parameters.

Affected

vtls-Virtua version 2014.X and 2013.2.X

Detection

Send a crafted data via HTTP GET request and check whether it is able to execute sql query or not.

References

http://packetstormsecurity.com/files/127997
http://seclists.org/fulldisclosure/2014/Aug/64
http://www.osvdb.com/110436

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-2081
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Alchemy Eye HTTP Command Execution
Andy's PHP Knowledgebase 'step5.php' Remote PHP Code Execution Vulnerability
Apache Struts2 Showcase Arbitrary Java Method Execution vulnerability
Astium VoIP PBX SQL Injection Vulnerability
4psa Voipnow Local File Inclusion Vulnerability

vtls-Virtua 'InfoStation.cgi' Multiple SQL Injection Vulnerabilities

Take action and discover your vulnerabilities