cancel
Showing results for 
Search instead for 
Did you mean: 

MachineName Parameter can be used to Exploit a SQL Injection Vulnerability in App Broker

MachineName Parameter can be used to Exploit a SQL Injection Vulnerability in App Broker

Symptoms:

A SQL injection vulnerability in App Broker 2018R1 and earlier allows local users to execute arbitrary SQL commands via the MachineName parameter. 

Diagnosis:

The machine name sent by the client is not validated, and can be used to deliver SQL commands that would be interpreted by the database engine.

Steps to Reproduce:

Steps to reproduce are not available at this time, as this issue was discovered through a vulnerability scan of App Broker.

Resolution:

This issue has been resolved in App Broker 2019 R1. Please download the latest version of App Broker 2019 R1 from the PLC download area.

Additional Information: 

This issue has been tracked under issue number IOJ-1908386.
For release notes and resolved issues in App Broker 2019 R1, please visit:
https://helpnet.flexerasoftware.com/appportal/rn2019r1/AppPortalAppBroker2019r1ReleaseNotes.htm#reso...

Related Documents:

Secunia Research at Flexera has issued an advisory SA88121. 
A copy of the advisory is attached to this article.
 
Was this article helpful? Yes No
No ratings
Version history
Revision #:
1 of 1
Last update:
‎Apr 30, 2019 07:16 AM
Updated by:
 
Contributors