Riello UPS NetMan 208 SQL Injection Vulnerability in Login Component

A SQL injection vulnerability has been identified in the Riello UPS NetMan 208 application, prior to version 1.12. The issue resides in the login CGI component, where improper validation of user-supplied input in the username field allows for the execution of stacked SQL queries. This vulnerability enables unauthenticated attackers to manipulate the 'LOGINFAILEDTABLE' database table, for instance, by deleting its contents to bypass brute-force attack protections.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of the 'LOGINFAILEDTABLE' database, including deletion of its contents. This action can disrupt the application's brute-force protection mechanisms, potentially leading to unauthorized access.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/login.cgi' with the 'logintype' parameter set to 'standard'. Include a crafted 'username' parameter that exploits the SQL injection vulnerability by appending a SQL payload, such as a command to delete entries from the 'LOGINFAILEDTABLE' where the condition is always true. The 'password' parameter can be filled with any value. After the injection, the application will respond with a generic login message, but the 'LOGINFAILEDTABLE' will be emptied, allowing for brute-force attempts to be resumed.

Remediation

Users are advised to update to Riello UPS NetMan version 1.12, available on the manufacturer's Driver & Download page.