Hitachi HITSENSER Data Mart Server configuration function SQL injection

hitachi-hitsenser-sql-injection (24240) The risk level is classified as MediumMedium Risk

Description:

Hitachi HITSENSER Data Mart Server is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the configuration function using various parameters, which could allow the attacker to add, modify, or delete information in the back-end database.

Platforms Affected:

  • Hitachi, HITSENSER Data Mart Server/BS C-7120-202 01-00 - 01-06
  • Hitachi, HITSENSER Data Mart Server/BS C-7120-212 01-00 - 01-06
  • Hitachi, HITSENSER Data Mart Server/BS C-7120-222 01-00 - 01-06
  • Hitachi, HITSENSER Data Mart Server/BS C-7120-232 01-00 - 01-06
  • Hitachi, HITSENSER Data Mart Server/BS C-7120-242 01-00 - 01-06

Remedy:

Upgrade to the appropriate fixed software version for your system, as listed in Hitachi Support Software Vulnerability Information HS05-026-01. See References.

Consequences:

Data Manipulation

References:

  • Hitachi Support Software Vulnerability Information HS05-026-01, SQL Injection Vulnerability in HITSENSER Data Mart Server at http://www.hitachi-support.com/security_e/vuls_e/HS05-026_e/01-e.html.
  • BID-16326: Hitachi HITSENSER Data Mart Server Unspecified SQL Injection Vulnerabilities
  • CVE-2006-0329: SQL injection vulnerability in HITSENSER Data Mart Server BS, BS-S, BS-M, BS-L, and EX allows remote attackers to execute arbitrary SQL commands via unknown attack vectors.
  • OSVDB ID: 22669: Hitachi HITSENSER Data Mart Server Unspecified SQL Injection
  • SA18553: Hitachi HITSENSER Data Mart Server SQL Injection
  • SECTRACK ID: 1015519: Hitachi HITSENSER Data Mart Server Input Validation Flaw in Configuration Function Permits SQL Injection Attacks
  • VUPEN/ADV-2006-0266: Hitachi HITSENSER Data Mart Server Remote SQL Injection Vulnerability

Reported:

Jan 20, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page