This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MachineName Parameter can be used to Exploit a SQL Injection Vulnerability in App Broker

Symptoms:

A SQL injection vulnerability in App Broker 2018R1 and earlier allows local users to execute arbitrary SQL commands via the MachineName parameter. 

Diagnosis:

The machine name sent by the client is not validated, and can be used to deliver SQL commands that would be interpreted by the database engine.

Steps to Reproduce:

Steps to reproduce are not available at this time, as this issue was discovered through a vulnerability scan of App Broker.

Resolution:

This issue has been resolved in App Broker 2019 R1. Please download the latest version of App Broker 2019 R1 from the PLC download area.

Additional Information: 

This issue has been tracked under issue number IOJ-1908386.
For release notes and resolved issues in App Broker 2019 R1, please visit:
https://helpnet.flexerasoftware.com/appportal/rn2019r1/AppPortalAppBroker2019r1ReleaseNotes.htm#resolve 

Related Documents:

Secunia Research at Flexera has issued an advisory SA88121. 
A copy of the advisory is attached to this article.
 

‎Apr 30, 2019 07:16 AM

Preview file
29 KB
Was this article helpful? Yes No
No ratings
Version history
Last update:
‎Apr 30, 2019 07:16 AM
Updated by:
Level 7 Flexeran