← Advisories

Mango Automation 2.6.0 CSRF Arbitrary SQL Query Execution

High
Advisory ID
ZSL-2015-5259
Release Date
26 September 2015
Vendor
Infinite Automation Systems Inc. - http://www.infiniteautomation.com
Affected Version
2.5.2 and 2.6.0 beta (build 327)
CVE
CVE-2015-7903
Tested On
Microsoft Windows 7 Professional SP1 (EN) 32/64bit, Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit, Jetty(9.2.2.v20140723), Java(TM) SE Runtime Environment (build 1.8.0_51-b16), Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)
Summary

Mango Automation is a flexible SCADA, HMI And Automation software application that allows you to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages, etc. It is easy, affordable, and open source.

Description

The application allows users to perform SQL queries via HTTP requests without performing any validity checks to verify the requests in sqlConsole.shtm page. This can be exploited to execute arbitrary SQL commands with administrative privileges if a logged-in user visits a malicious web site.

Proof of Concept
mango_sql.txtTXT
Disclosure Timeline
20.08.2015Vulnerability discovered.
25.08.2015Vendor contacted.
25.08.2015Vendor responds giving support e-mail to send details to.
25.08.2015Details sent to the support contact.
27.08.2015Asked vendor for status update.
12.09.2015No reply from the vendor.
13.09.2015Asked vendor for status update.
25.09.2015No reply from the vendor.
26.09.2015Public security advisory released.
20.10.2015Vendor releases version 2.6.0 build 430 to address these issues.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/38338/
[2]https://packetstormsecurity.com/files/133732
[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/106862
[4]http://infiniteautomation.com/forum/topic/1995/mango-security-testing
[5]http://infiniteautomation.com/index.php/what-s-new/entry/what-s-new-in-mango-automation-2-6-0-released-october-20th-2016
[6]http://infiniteautomation.com/forum/topic/1997/mango-automation-2-6-released
[7]https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02A
[8]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7903
[9]https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7903
[10]http://www.cvedetails.com/vendor/15200/Infinite-Automation-Systems.html
[11]http://jvndb.jvn.jp/ja/contents/2015/JVNDB-2015-005642.html
Changelog
26.09.2015Initial release
07.10.2015Added reference [1], [2] and [3]
21.10.2015Added vendor status and reference [4], [5] and [6]
29.10.2015Added reference [7], [8], [9], [10] and [11]