cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

SQL Injection Vulnerability - Storage Manager

After upgrading Storage Manager to the latest version 5.2, to fix a vulnerability, our 3rd party vendor identified a new high level SQL injection vulnerability with this application.  This was submitted to development almost a month ago, but has yet to be addressed.  This needs to be resolved since this is a high risk item, but it doesn't appear that anyone's made any progress with it. 

This is the high level description that we received from our vulnerability analysis system:

This host has a web application that is vulnerable to a SQL injection authentication bypass. SQL injection authentication bypasses occur when an attacker is able to supply input in such a way that the resulting combined SQL statement executed on the web server is both valid and results in login access.

0 Kudos
7 Replies
Community Manager
Community Manager

Do you have a case #?

0 Kudos

Yes.


Case

325182

0 Kudos

Thanks, we're looking into this.  Will update this thread when I have details.

Danielle

0 Kudos

Does anyone happen to know if this is the same vulnerability that was in the previous version, and if so, does it's application in the previous version prevent the product from experiencing this in 5.2?

0 Kudos

It seems to be different.  We had the original vulnerability show up in the previous version.  We applied the upgrade to fix that issue and it then came back clean.  A week later, we rescanned the server and this vulnerability showed up.  It may be similar, but it is different.

0 Kudos

Jerod,

What test did you run to get this result?

Brian

0 Kudos

The system we use for vulnerability scanning detected it using some known SQL injection vulnerabilities.  They did validate it by providing us data that was returned from the query.

Thanks

0 Kudos