PT-2015-01: SQL Injection in Solar-Log WEB
Vulnerable software
Solar-Log WEB
Link:
http://www.solar-log.com/
Severity level
Severity level: High
Impact: SQL Injection
Access Vector: Remote
CVSS v2:
Base Score: 7.5
Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE: not assigned
Software description
Solar-log WEB is a web-based monitoring application that allows installers, Portal operators and service providers to manage and monitor installed systems remotely.
Vulnerability description
The specialists of the Positive Research center have detected an SQL injection vulnerability in Solar-Log WEB.
SQL Injection vulnerability allows remote attackers to execute arbitrary SQL commands via a specially crafted request.
How to fix
Update your sofware up to the latest version
Advisory status
12.01.2015 - Vendor gets vulnerability details
13.01.2015 - Vendor releases fixed version and details
13.02.2015 - Public disclosure
Credits
The vulnerability was detected by Sergey Gordeychik, Positive Research Center (Positive Technologies Company)
References
http://en.securitylab.ru/lab/PT-2015-01
Reports on the vulnerabilities previously discovered by Positive Research:
http://www.ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/