CVE-2018-25189

Vulnerability

Overview

Data Center Audit 2. Audit 2.6.2 contains a SQL injection vulnerability exists in the username parameter of dca_login.php. The application fails to properly sanitize user input before including it in SQL queries, allowing an attacker to inject arbitrary SQL commands. This is a classic SQL injection flaw where the input is directly concatenated into a query without proper escaping or parameterization [1][2].

Exploitation

Details

The vulnerability can be exploited by sending a crafted POST request to the login page. No authentication is required, making it accessible to any remote attacker. The exploit payload shown in the public proof-of-concept uses a blind SQL injection technique that leverages error-based extraction to retrieve information. By injecting a subquery that causes a duplicate key error, the attacker can extract data such as the current database user, database name, and version [1]. The attack is performed over HTTP and does not require any special privileges or prior access.

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries against the underlying database. This can lead to the extraction of sensitive information, including usernames, database names, and database version details. Depending on the database configuration and permissions, the attacker might also be able to modify or delete data, potentially compromising the entire application and its data [2].

Mitigation

As of the publication date, the vendor has not released a patched version. Users of Data Center Audit 2.6.2 should consider upgrading to a newer version if available, or implement input validation and parameterized queries as a workaround. The vulnerability has been publicly disclosed and an exploit is available, increasing the risk of active exploitation [1][2].