Date: 27 February 2007
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2007.0033 AUSCERT Advisory
[Win]
JIWA Financials reporting allows execution of arbitrary SQL commands
28 February 2007
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: JIWA Financials 6.4.14
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Increased Privileges
Access: Existing Account
Member content until: Monday, June 26 2006
Revision History:
February 28 2007: Updated mitigation: 06.05.00 and later not vulnerable
June 6 2006: Updated mitigation with further patch information
May 30 2006: Initial Release
OVERVIEW:
JIWA Financials reporting module allows a logged in user to specify
an arbitrary report file for processing. This report is supplied
with database credentials with full control over the JIWA database,
possibly leading to the execution of arbitrary SQL commands.
IMPACT:
An authenticated but non-privileged JIWA Financials user may be
able to access, modify or delete data beyond that appropriate for
their role. This vulnerability could be leveraged to insert
arbitrary data into the system.
MITIGATION:
JIWA have released a patch to protect against this vulnerability.
JIWA Financials users can download and install this patch through
the customer and partner download areas on their website at:
http://www.jiwa.com.au
As of December 17 2006 JIWA Financials version 06.05.00 has been
released. In this version the reporting SQL credentials give
read-only access by default, removing this vulnerability for
new installations and existing installations upgraded to version
06.05.00 or later.
CREDITS:
Robert Passlow brought this issue to our attention.
JIWA (http://www.jiwa.com.au) have assisted with mitigation
information, vulnerability clarification and patch scheduling.
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBReUvqih9+71yA2DNAQLkewP+OZ92BTr3IZXfnd0apxKjthroydQIwoz5
OZn+Oo7Hynw02NZpIRTQ5MqCj1G8JjXNntrmnf0C0Wt2CApM7M89lKZVJxCtRdLE
oGf55gTGTFhCM1xeDHKIjjL8DbTw04Ryz0s3XNfuM5NGO+cPtX9k5IwKEHdMeRno
CQ2OXOh/wcs=
=wOAn
-----END PGP SIGNATURE-----
|