SolarWinds Storage Manager SQL Injection

Added: 05/17/2012
BID: 51639
OSVDB: 81634

Background

SolarWinds Storage Manager is agentless heterogeneous monitoring and reporting of the performance and capacity of physical and virtual storage infrastructure. It delivers visibility and insight into how your storage infrastructure maps to your virtualized environment.

Problem

SolarWinds Storage Manager fails to properly sanitize user-supplied input passed to login interface. This can be exploited to execute arbitrary SQL commands. Additionally, unauthenticated user can upload and execute malicious files under the context of database server host operating system.

Resolution

Apply vendor supplied hot-fix.

References

http://ddilabs.blogspot.in/2012/02/solarwinds-storage-manager-server-sql.html
http://www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/vulnerability.htm

Limitations

This exploit has been tested against SolarWinds Storage Manager 5.0.1.

Platforms

Windows

Back to exploit index