Bugtraq mailing list archives
AirWatch Self Service Portal Username Parameter LDAP Injection
From: Patrick Webster <patrick () osisecurity com au>
Date: Tue, 4 Apr 2017 16:48:22 +1000
https://www.osisecurity.com.au/airwatch-self-service-portal-username-parameter-ldap-injection.html Date: 04-Apr-2017 Product: AirWatch Self Service MDM Versions affected: v6.1.x v6.4.x Vulnerability: LDAP injection Example: https://[target]/DeviceManagement/ URL accepts the following POST parameters: AuthenticationMode ActivationCode Username Password Login The 'Username' parameter appears to be vulnerable to an LDAP injection attack. A query of: *)(sn=* Takes a long time to complete (talking minutes), due to valid injection of an LDAP query which enumerates the entire LDAP directory. Other normal (or syntax invalid LDAP) requests are answered within seconds. Credit: Discovered by Patrick Webster Disclosure timeline: 20-Aug-2013 - Discovered during audit. 23-Aug-2013 - Reported to vendor. 26-Aug-2013 - Vendor acknowledged report. 09-Sep-2013 - Vendor confirmed. 15-Oct-2013 - Vendor released v6.5 including fix. 04-Apr-2017 - Public disclosure. About OSI Security: OSI Security is an independent network and computer security auditing and consulting company based in Sydney, Australia. We provide internal and external penetration testing, vulnerability auditing and wireless site audits, vendor product assessments, secure network design, forensics and risk mitigation services. We can be found at http://www.osisecurity.com.au/
Current thread:
- AirWatch Self Service Portal Username Parameter LDAP Injection Patrick Webster (Apr 04)