WebEOC contains multiple SQL injection vulnerabilities that may allow attackers to execute sql queries, potentially viewing or modifying data, or executing database commands.
WebEOC is a web-based crisis information management application that provides functions to gather, coordinate, and disseminate information between emergency personnel and Emergency Operations Centers (EOC). WebEOC does not properly filter user input, allowing a remote attacker to supply SQL commands that may be executed by the underlying database.
A remote attacker may be able to execute SQL queries on a server, possibly with elevated privileges. As a result, attackers may be able to view or modify the contents of a WebEOC database, including authentication and sensitive medical information.
Version 6.0.2 corrects this vulnerability. According to ESi:
This document is based on technical analysis by IOActive and additional information from ESi. Thanks also to the City of Seattle for bringing this to our attention.
|Date First Published:||2005-07-13|
|Date Last Updated:||2005-07-20 02:40 UTC|