BugTraq
Back to list
|
Post reply
[CAID 35277]: CA CleverPath Portal SQL Injection Vulnerability
Apr 26 2007 05:54AM
Williams, James K (James Williams ca com)
Title: [CAID 35277]: CA CleverPath Portal SQL Injection
Vulnerability
CA Vuln ID (CAID): 35277
CA Advisory Date: 2007-04-24
Reported By: Hacktics Ltd
Impact: Local attacker can access confidential data.
Summary: CA CleverPath Portal contains a vulnerability that can
allow a local attacker to access confidential data. The
vulnerability is due to insufficient filtering of SQL search
queries. CA has issued a patch to address the vulnerability.
Mitigating Factors:
1. Lite Search is required for this scenario.
2. Data can not be modified using this technique.
3. Attacker must have a valid username and password.
Severity: CA has given this vulnerability a Low risk rating.
Affected Products:
BrightStor Portal 11.1
CleverPath Aion 10, 10.1, 10.2
CleverPath Portal 4.51, 4.7, 4.71
eTrust Security Command Center (eTrust SCC) 1, 8
Unicenter Argis Portfolio Asset Management 11
Unicenter Database Management Portal 11, 11.1
Unicenter Enterprise Job Manager (UEJM) 3, 11
Unicenter Management Portal (UMP) 2, 3.1, 11
Affected Platforms:
All supported platforms
Status and Recommendation:
Customers using vulnerable versions of CleverPath Portal should
apply the patch, which is available for download from
http://supportconnect.ca.com.
CleverPath Portal solution - QO87601
How to determine if the installation is affected:
To determine if you are using the Lite Search feature, log in to
the Portal Administration area. On the Global Properties page, you
can view the current Search Engine configuration.
Workaround:
None available
References (URLs may wrap):
CA SupportConnect:
http://supportconnect.ca.com/
CA SupportConnect Security Notice for this vulnerability:
CleverPath Portal Security Notice
http://supportconnectw.ca.com/public/cp/portal/infodocs/portal-secnot.as
p
Solution Document Reference APARs:
QO87601
CA Security Advisor posting:
CA CleverPath Portal SQL Injection Vulnerability
http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=136879
CAID: 35277
CAID Advisory link:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35277
Reported By: Hacktics Ltd
Hacktics advisory:
Security Advisory: CA CleverPath SQL Injection
http://www.hacktics.com/AdvCleverPathApr07.html
CVE Reference: CVE-2007-2230
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2230
OSVDB Reference: OSVDB-34128
http://osvdb.org/34128
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA
Technical Support at http://supportconnect.ca.com.
For technical questions or comments related to this advisory, please
send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your
findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability"
form.
URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx
Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research
CA, 1 CA Plaza, Islandia, NY 11749
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2007 CA. All rights reserved.
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Title: [CAID 35277]: CA CleverPath Portal SQL Injection
Vulnerability
CA Vuln ID (CAID): 35277
CA Advisory Date: 2007-04-24
Reported By: Hacktics Ltd
Impact: Local attacker can access confidential data.
Summary: CA CleverPath Portal contains a vulnerability that can
allow a local attacker to access confidential data. The
vulnerability is due to insufficient filtering of SQL search
queries. CA has issued a patch to address the vulnerability.
Mitigating Factors:
1. Lite Search is required for this scenario.
2. Data can not be modified using this technique.
3. Attacker must have a valid username and password.
Severity: CA has given this vulnerability a Low risk rating.
Affected Products:
BrightStor Portal 11.1
CleverPath Aion 10, 10.1, 10.2
CleverPath Portal 4.51, 4.7, 4.71
eTrust Security Command Center (eTrust SCC) 1, 8
Unicenter Argis Portfolio Asset Management 11
Unicenter Database Management Portal 11, 11.1
Unicenter Enterprise Job Manager (UEJM) 3, 11
Unicenter Management Portal (UMP) 2, 3.1, 11
Affected Platforms:
All supported platforms
Status and Recommendation:
Customers using vulnerable versions of CleverPath Portal should
apply the patch, which is available for download from
http://supportconnect.ca.com.
CleverPath Portal solution - QO87601
How to determine if the installation is affected:
To determine if you are using the Lite Search feature, log in to
the Portal Administration area. On the Global Properties page, you
can view the current Search Engine configuration.
Workaround:
None available
References (URLs may wrap):
CA SupportConnect:
http://supportconnect.ca.com/
CA SupportConnect Security Notice for this vulnerability:
CleverPath Portal Security Notice
http://supportconnectw.ca.com/public/cp/portal/infodocs/portal-secnot.as
p
Solution Document Reference APARs:
QO87601
CA Security Advisor posting:
CA CleverPath Portal SQL Injection Vulnerability
http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=136879
CAID: 35277
CAID Advisory link:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35277
Reported By: Hacktics Ltd
Hacktics advisory:
Security Advisory: CA CleverPath SQL Injection
http://www.hacktics.com/AdvCleverPathApr07.html
CVE Reference: CVE-2007-2230
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2230
OSVDB Reference: OSVDB-34128
http://osvdb.org/34128
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA
Technical Support at http://supportconnect.ca.com.
For technical questions or comments related to this advisory, please
send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your
findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability"
form.
URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx
Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research
CA, 1 CA Plaza, Islandia, NY 11749
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2007 CA. All rights reserved.
[ reply ]