This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Create Post
wrightj
Level 7
‎04-20-2012 09:34 AM

SQL Injection Vulnerability - Storage Manager

After upgrading Storage Manager to the latest version 5.2, to fix a vulnerability, our 3rd party vendor identified a new high level SQL injection vulnerability with this application.  This was submitted to development almost a month ago, but has yet to be addressed.  This needs to be resolved since this is a high risk item, but it doesn't appear that anyone's made any progress with it. 

This is the high level description that we received from our vulnerability analysis system:

This host has a web application that is vulnerable to a SQL injection authentication bypass. SQL injection authentication bypasses occur when an attacker is able to supply input in such a way that the resulting combined SQL statement executed on the web server is both valid and results in login access.

0 Kudos
Reply
7 Replies
DanielleH
Community Manager
Community Manager
‎04-20-2012 09:38 AM

Do you have a case #?

0 Kudos
Reply
wrightj
Level 7
In response to DanielleH
‎04-20-2012 02:12 PM

Yes.


Case

325182

0 Kudos
Reply
DanielleH
Community Manager
Community Manager
In response to wrightj
‎04-20-2012 02:15 PM

Thanks, we're looking into this.  Will update this thread when I have details.

Danielle

0 Kudos
Reply
cshanep
Level 11
In response to DanielleH
‎04-23-2012 11:10 AM

Does anyone happen to know if this is the same vulnerability that was in the previous version, and if so, does it's application in the previous version prevent the product from experiencing this in 5.2?

0 Kudos
Reply
wrightj
Level 7
In response to cshanep
‎04-23-2012 11:39 AM

It seems to be different.  We had the original vulnerability show up in the previous version.  We applied the upgrade to fix that issue and it then came back clean.  A week later, we rescanned the server and this vulnerability showed up.  It may be similar, but it is different.

0 Kudos
Reply
bmrad
Product Manager
Product Manager
In response to wrightj
‎05-03-2012 09:15 AM

Jerod,

What test did you run to get this result?

Brian

0 Kudos
Reply
wrightj
Level 7
In response to bmrad
‎05-03-2012 09:18 AM

The system we use for vulnerability scanning detected it using some known SQL injection vulnerabilities.  They did validate it by providing us data that was returned from the query.

Thanks

0 Kudos
Reply

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification SolarWinds Lab
About THWACK Blogs Federal & Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
© 2021 SolarWinds Worldwide, LLC. All Rights Reserved.