copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
»
Security Bul...
»
AusCERT Advi...
» AA-2006.0033 -- [Win] -- JIWA Financials reporting a...
AA-2006.0033 -- [Win] -- JIWA Financials reporting allows execution of arbitrary SQL commands
Date:
27 February 2007
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AA-2007.0033 AUSCERT Advisory [Win] JIWA Financials reporting allows execution of arbitrary SQL commands 28 February 2007 - --------------------------------------------------------------------------- AusCERT Advisory Summary ------------------------ Product: JIWA Financials 6.4.14 Operating System: Windows Impact: Execute Arbitrary Code/Commands Increased Privileges Access: Existing Account Member content until: Monday, June 26 2006 Revision History: February 28 2007: Updated mitigation: 06.05.00 and later not vulnerable June 6 2006: Updated mitigation with further patch information May 30 2006: Initial Release OVERVIEW: JIWA Financials reporting module allows a logged in user to specify an arbitrary report file for processing. This report is supplied with database credentials with full control over the JIWA database, possibly leading to the execution of arbitrary SQL commands. IMPACT: An authenticated but non-privileged JIWA Financials user may be able to access, modify or delete data beyond that appropriate for their role. This vulnerability could be leveraged to insert arbitrary data into the system. MITIGATION: JIWA have released a patch to protect against this vulnerability. JIWA Financials users can download and install this patch through the customer and partner download areas on their website at: http://www.jiwa.com.au As of December 17 2006 JIWA Financials version 06.05.00 has been released. In this version the reporting SQL credentials give read-only access by default, removing this vulnerability for new installations and existing installations upgraded to version 06.05.00 or later. CREDITS: Robert Passlow brought this issue to our attention. JIWA (http://www.jiwa.com.au) have assisted with mitigation information, vulnerability clarification and patch scheduling. AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBReUvqih9+71yA2DNAQLkewP+OZ92BTr3IZXfnd0apxKjthroydQIwoz5 OZn+Oo7Hynw02NZpIRTQ5MqCj1G8JjXNntrmnf0C0Wt2CApM7M89lKZVJxCtRdLE oGf55gTGTFhCM1xeDHKIjjL8DbTw04Ryz0s3XNfuM5NGO+cPtX9k5IwKEHdMeRno CQ2OXOh/wcs= =wOAn -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1978&it=6359