search menu icon-carat-right cmu-wordmark

CERT Coordination Center

OneOrZero AIMS authentication bypass and SQLi vulnerabilities

Vulnerability Note VU#800227

Original Release Date: 2011-10-13 | Last Revised: 2011-10-13

Overview

OneOrZero Action & Information Management System (AIMS) is vulnerable to an authentication bypass and SQL injection.

Description

According to the vendor's website:

"OneOrZero AIMS is a powerful enterprise ready suite that includes a help desk, knowledge base, time manager and reporting system supported by a highly configurable and extensible Action & Information Management System that allows you to 'build your own system' on the fly."

AIMS is susceptible to an authentication bypass. An attacker can generate a session cookie for $_COOKIE['oozimsrememberme'] and log in as an administrator without providing a password.

AIMS is also susceptible to SQL injection. On line 136 of lib\ooz_access.php the $cookieName variable that originates from an attacker controllable cookie is passed to a SQL statement without any filtering:

$sql = "SELECT * FROM " . OOZ_SET_TABLE_PREFIX . "users WHERE user_name = '" . $cookieName . "'";
$userResult = DB::query($sql, DSN, OOZ_SET_SHOW_SQL);

 

Impact

An unauthenticated remote attacker may be able to bypass authentication or leak database information.

Solution

We are currently unaware of a practical solution to this problem.

Vendor Information

800227
 
Affected   Unknown   Unaffected

OneOrZero

Updated:  October 12, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Yuri Goltsev of Positive Technologies for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: None
Severity Metric: 0.07
Date Public: 2011-10-12
Date First Published: 2011-10-13
Date Last Updated: 2011-10-13 14:49 UTC
Document Revision: 7

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.