Vulnerability scan indicates that Messaging Gateway login page may be vulnerable to blind SQL injection

search cancel

Vulnerability scan indicates that Messaging Gateway login page may be vulnerable to blind SQL injection

book

Article ID: 258706

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

A scan of Messaging Gateway by Nessus or other vulnerability scanner indicates a potential vulnerability to blind SQL injection:

42424 - CGI Generic SQL Injection (blind)

Synopsis

A CGI application hosted on the remote web server is potentially prone to SQL injection attack.

Description

By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, Nessus was able to get a very different response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database.

An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.

Note that this script is experimental and may be prone to false positives.


http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.nessus.org/u?ed792cf5
http://www.nessus.org/u?11ab1866

Environment

Release : 10.8.0

Resolution

The SQL injection scan results have been investigated and it is has been confirmed to be a false positive. The SMG Control Center login page is not susceptible to blind SQL injection.

Feedback

thumb_up Yes

thumb_down No