[UNIX] Ipswitch WhatsUp SQL Injection Vulnerability
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 23 Jun 2005 13:13:38 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Ipswitch WhatsUp SQL Injection Vulnerability
Ipswitch's WhatsUp is "a network management solution for small and mid
Remote exploitation of a SQL injection vulnerability in Ipswitch Inc.'s
WhatsUp Professional allows remote attackers to gain administrative access
to the application.
* Ipswitch WhatsUp Gold Professional version 2005 SP1
* Ipswitch WhatsUP Professional 2005 SP1a
The main logon screen for the web based front end does not properly
validate input, allowing for SQL injection attacks to occur. SQL commands
can be submitted through the "User Name" and "Password" fields on the
default login page.
The web front end is not enabled by default and must be running for the
application to be vulnerable. It can be enabled under the "Configure",
"Program Options" menu by checking the "Enable web server on port "
Exploit code for this vulnerability is unnecessary; the following SQL
injection attacks can be executed in the "User Name" field of the
Reset the Admin user password with a blank password:
- 'UPDATE WebUser SET sPassword=DEFAULT WHERE sUserName='Admin'--
Elevate Guest user privileges to Admin privileges:
- 'UPDATE WebUser SET nUserRightsMask=-1 WHERE sUserName='guest'--
Successful exploitation allows unauthenticated remote attackers to gain
administrative access to the WhatsUp Professional application. SQL
injection attacks can be used to either elevate the privileges of the
Guest user or to change/erase the password of the Admin user. Either
approach will provide a remote attacker with full administrative access to
the application. By default, the Guest user is enabled but has limited
access to the application and the account has a blank password.
Disabling the web front end to WhatsUp Gold Professional 2005 (SP1) will
prevent the ability to exploit this vulnerability. It can be disabled
under the "Configure", "Program Options" menu by unchecking the "Enable
web server on port " checkbox.
This vulnerability is addressed in WhatsUP Pro 2005 SP1a.
A change log detailing changes in SP1a is available at:
* 25.04.05 - Initial vendor notification
* 10.05.05 - Initial vendor response
* 22.06.05 - Coordinated public disclosure
The information has been provided by <mailto:email@example.com> iDEFENSE.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.