Summary
This host is running Ultra Electronics AEP
Ultra Protect and is prone to multiple vulnerabilities.
Impact
Successful exploitation will allow attacker
to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
Impact Level: Application
Solution
No solution or patch is available as of
30th January, 2015. Information regarding this issue will be updated once the solution details are available.
For updates refer to https://www.northbridgesecure.com/products/netilla-os
Insight
Multiple flaws are due to,
- The /preauth/login.cgi script not properly sanitizing user-supplied input to the 'realm' GET parameter.
- The /preauth/login.cgi not properly sanitizing user input, specifically path traversal style attacks (e.g. '../') supplied via the 'realm' GET parameter.
Affected
Ultra Electronics - Series A
Version 7.2.0.19 and 7.4.0.7
Detection
Send a crafted request via HTTP GET and
check whether it is able to read information or not.
References
Severity
Classification
-
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Andy's PHP Knowledgebase 'step5.php' Remote PHP Code Execution Vulnerability
- ASP-Dev XM Event Diary Multiple Vulnerabilities
- Adobe ColdFusion Components (CFC) Denial Of Service Vulnerability
- AproxEngine Multiple Remote Input Validation Vulnerabilities
- AIOCP 'cp_html2xhtmlbasic.php' Remote File Inclusion Vulnerability