CVE-2013-2594
Description
SQL injection vulnerability in reports/calldiary.php in Hornbill Supportworks ITSM 1.0.0 through 3.4.14 allows remote attackers to execute arbitrary SQL commands via the callref parameter.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Hornbill Supportworks ITSM 1.0.0 - SQL Injection
Summary
SQL Injection Vulnerability in ITSM component of Hornbill Supportworks
Application
CVE number: CVE-2013-2594
Impact: High
Vendor homepage: http://www.hornbill.com
Vendor notified: 19/11/2012
Vendor response: This issue has reportedly been fixed but the vendor
refused to give version details.
Credit: Joseph Sheridan of ReactionIS
Affected Products
Supportworks ITSM versions 1.0.0 and possibly other versions
Details
There is a SQL injection vulnerability in the ITSM component of the
Supportworks Application. The vulnerable file is calldiary.php found in the
/reports folder of the webroot. The following URL demonstrates the issue:
http://vulnhost.com/reports/calldiary.php?callref=VULN
This attack can be used to take full control of the host by writing a php
webshell document (using mysql 'into outfile') to the webroot.
Impact
An attacker may be able to take full control of the Supportworks server and
execute arbitrary operating-system commands.
Solution
Upgrade to the latest available ITSM version - contact Vendor for more
details.
http://www.reactionpenetrationtesting.co.uk
http://www.reactionpenetrationtesting.co.uk/research.html
http://www.reactionpenetrationtesting.co.uk/security-testing-services.html Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| hornbill | supportworks_itsm | 1.0.0 | |
| hornbill | supportworks_itsm | 3.4.14 | |
References
- http://osvdb.org/92757
- http://packetstormsecurity.com/files/121402/Hornbill-Supportworks-ITSM-1.0.0-SQL-Injection.html
- http://seclists.org/fulldisclosure/2013/Apr/232
- http://www.exploit-db.com/exploits/25002
- http://www.reactionpenetrationtesting.co.uk/hornbill-supportworks-sql-injection.html
- http://www.securityfocus.com/bid/59439
- https://exchange.xforce.ibmcloud.com/vulnerabilities/83767
- http://osvdb.org/92757
- http://packetstormsecurity.com/files/121402/Hornbill-Supportworks-ITSM-1.0.0-SQL-Injection.html
- http://seclists.org/fulldisclosure/2013/Apr/232
- http://www.exploit-db.com/exploits/25002
- http://www.reactionpenetrationtesting.co.uk/hornbill-supportworks-sql-injection.html
- http://www.securityfocus.com/bid/59439
- https://exchange.xforce.ibmcloud.com/vulnerabilities/83767
CWEs
CWE-89
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.