Sep 142015
In accordance with Google’s responsible disclosure policy I’m releasing the details for CVE-2015-5376 “WiNPAT Portal 3 – Unauthenticated SQL Injection Exploit” 90 days after the initial report to the software manufacturer GSI Office.
They took the reported vulnerability very seriously and fixed it within days. Furthermore they even audited the rest of the application for possible further technical (with a focus on the OWASP Top 10) and/or logical problems.
Congratulations GSI Office, that’s the perfect way to handle a security related bug report. And please keep in mind: Not a single software on this earth is bug free: It really depends on how you handle them!
# Title: WiNPAT Portal 3 - Unauthenticated SQL Injection Exploit # Date: 8.7.2015 # Exploit Author: Florian Bogner [ mail: florian (at) bogner (at) sh - web: https://bogner.sh ] # Vendor Homepage: http://www.gsi-office.de/en/products/winpat-portal # Version: verified for 3.2.0.1001 - 3.6.1.0 # Tested on: IIS7.5 and MS SQL Server # CVE : CVE-2015-5376 Application Description ========================================================== WiNPAT Portal is a web based IT-solution for law firms and corporate intellectual property departments in industry and research. Using WiNPAT Portal you gain the ability to handle all tasks in the area of IP management in a timely manner via the internet. With WiNPAT Portal we have created an environment to provide simultaneous access to all database driven applications which you have deployed in your office or department. In interaction with the WiNPAT process oriented workflow management, it automates relevant business processes in a transparent and comfortable way. Vulnerability Description ========================================================== This issue affects the login form of GSi Office's WiNPAT Portal 3. Although it has only been verified for version 3.2 to 3.6 it is probably applicable for a wider version range. It is caused by not validating the user's input of the login form's username field and thereby allows an attacker to insert malicious SQL commands. This is a very severe issue as it can be exploited without any prior authentication. Only blind time based attacks are possible. Exploit ========================================================== To exploit this issue the HTTP POST parameter LoginControl%24txtUserLogin of the login form has to be modified. An easy way to validate the vulnerability is to use the following credentials: ------------------------------------------ Username: 1');WAITFOR DELAY '0:0:10'-- Password: [None] ------------------------------------------ If successful, the page load will take about ten seconds. To further exploit this vulnerability it is recommended to use sqlmap (http://sqlmap.org/).