Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

DDIVRT-2012-43 SCLIntra Enterprise SQL Injection and Authentication Bypass
From: ddivulnalert <ddivulnalert () ddifrontline com>
Date: Tue, 29 May 2012 10:13:18 -0500

Title
-----
DDIVRT-2012-43 SCLIntra Enterprise SQL Injection and Authentication Bypass

Severity
--------
High

Date Discovered
---------------
April 2, 2012

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: r () b13$

Vulnerability Description
-------------------------
Multiple SQL injection vectors and an authentication bypass were discovered in SCLIntra Enterprise. An attacker can 
leverage this flaw to bypass authentication to the application or to execute arbitrary SQL commands and extract 
information from the backend database using standard SQL exploitation techniques.

Solution Description
--------------------
The vendor has indicated that the current version of SCLIntra Enterprise is version 6 and does not contain the 
vulnerabilities reported by DDI. Any SCLIntra Enterprise customers still using versions prior to 6 should contact 
SCLogic at 1.888.700.7027 to remedy the vulnerabilities (a current SCLogic support contract is required).

Tested Systems / Software
-------------------------
SCLogic SCLIntra Enterprise 5.5.2 on Windows 2003

Vendor Contact
--------------
Vendor Name: SCLogic
Vendor Website: http://www.sclogic.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • DDIVRT-2012-43 SCLIntra Enterprise SQL Injection and Authentication Bypass ddivulnalert (May 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]