Skip to main content

SQL injection in Trend Micro's Control Manager

posted onOctober 1, 2012
by l33tdawg

SQL injection vulnerability was found in Trend Micro Control Manager. A remote attacker can extract sensitive data such as password through blind SQL injection.

Trend Micro Control Manager prior to version 5.5 build 1823 (English and Japanese version) and version 6 build 1449 (English version only) are susceptible to SQL Injection. The application does not properly filter user-supplied input. The successful exploitation of this vulnerability could potentially result in arbitrary SQL command input to the back-end database, such as execute SQL command to upload and execute arbitrary code against the target system.

The vulnerable parameter is ‘id’ parameter in the GET request for AdHocQuery_Processor.aspx page. According to Trend Micro Control Manager help page, an Ad Hoc Query is a direct request to the Control Manager database for information. The query uses data views to narrow the request and improve performance. After specifying the data view, users can further narrow their search by specifying filtering criteria for the request.

Source

Tags

Security Trend Micro

You May Also Like

Recent News

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th