CUA Login module username SQL injection
| cua-login-username-sql-injection (43981) |  Medium Risk |
Description:
EMC Centera Universal Access (CUA) Login module is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the username field using an unknown parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
Platforms Affected:
- EMC, Centera Universal Access 4.0_4735 P4
Remedy:
Apply the patch for this vulnerability (CUA 4.0.1 Patch 1), available from the EMC Web site. See References.
Consequences:
Data Manipulation
References:
- EMC Web site, EMC Centera Universal Access at http://www.emc.com/products/detail/software/emc-centera-universal-access.htm.
- Full-Disclosure Mailing List, Wed Jul 23 2008 - 12:09:27 CDT, Vulnerability Report: EMC Centera Universal Access at http://archives.neohapsis.com/archives/fulldisclosure/2008-07/0403.html.
- BID-30358: EMC Centera Universal Access 'username' Parameter SQL Injection Vulnerability
- CVE-2008-3370: SQL injection vulnerability in the CUA Login Module in EMC Centera Universal Access (CUA) 4.0_4735.p4 allows remote attackers to execute arbitrary SQL commands via the user (user name) field.
- SA31215: EMC Centera Universal Access SQL Injection Vulnerability
- SECTRACK ID: 1020540: EMC Centera Universal Access Input Validation Flaw in Login Module Lets Remote Users Inject SQL Commands
- VUPEN/ADV-2008-2219: EMC Centera Universal Access Remote SQL Inection Vulnerability
Reported:
Jul 23, 2008
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net