Hitachi HITSENSER3 configuration and Multidimensional Data Analyzer SQL injection

hitachi-hitsenser3-sql-injection (26749) The risk level is classified as MediumMedium Risk

Description:

Hitachi HITSENSER3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the configuration or the Multidimensional Data Analyzer function using unspecified parameters, which could allow the attacker to view, add, modify, or delete information in the back-end database.


Consequences:

Data Manipulation

Remedy:

Upgrade to the appropriate fixed software version for your system, as listed in Hitachi Support Software Vulnerability Information HS06-011-01. See References.

References:

  • Hitachi Software Vulnerability Information HS06-011: SQL Injection Vulnerability in HITSENSER3.
  • BID-18181: Hitachi Hitsenser3 SQL Injection Vulnerability
  • CVE-2006-2761: SQL injection vulnerability in Hitachi HITSENSER3 HITSENSER3/PRP, HITSENSER3/PUP, HITSENSER3/STP, and HITSENSER3/EUP allows remote attackers to execute arbitrary SQL commands via unknown attack vectors.
  • SA20347: Hitachi HITSENSER3 SQL Injection Vulnerability
  • SECTRACK ID: 1016190: HITSENSER3 Input Validation Flaws Let Remote Users Inject SQL Commands to Bypass Authentication
  • VUPEN/ADV-2006-2063: Hitachi HITSENSER3 SQL Injection and Authentication Bypass Vulnerability

Platforms Affected:

  • Hitachi HITSENSER3/EUP C-A7120-102 01-02 - 01-08
  • Hitachi HITSENSER3/PRP C-A7120-072 01-02 - 01-08
  • Hitachi HITSENSER3/PUP C-A7120-082 01-02 - 01-08
  • Hitachi HITSENSER3/STP C-A7120-092 01-02 - 01-08

Reported:

May 31, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page