[R1] Ipswitch WhatsUp Gold WrFreeFormText.asp sUniqueID Parameter Blind SQL Injection

This vulnerability was reported by Rapid7 and assigned CVE-2015-6004. Rapid7’s blog indicates that CVE-2015-6005 covers the SQL injection, and CVE-2015-6004 covers the XSS, but that doesn’t match what is in the CVE/NVD database. We reached out to CVE to clarify this, who quickly replied that their assignments are based on CERT VU 176160, and do not consider the Rapid7 blog a definitive source. CERT replied saying that was how they assigned and blamed Rapid7 who they would reach out to. Regardless, a new CVE ID is being assigned to this issue in keeping with CVE abstraction policy.

Rapid7’s article indicates that Ipswitch fixed the vulnerability on December 16, 2016. The CVE entry indicates that versions before 16.4 are vulnerable. Finally, Ipswitch even tweeted that they fixed the reported vulnerabilities but did not indicate the fixed version. Since you are reading this advisory, you've probably figured out that this was not fully fixed!

Looking at the WrFreeFormText.asp script, we see the UUID gets appended to an SQL query and executed. This is pretty clearly open for SQL injection abuse. Unfortunately, this is a visually impaired SQL injection (PC term), but we'll allow it. Some examples of exploitation were demonstrated that include displaying the server version and enumerating users. There are very few limits to what an attacker can do and include giving themselves full user rights or changing user names to JavaScript to be executed when the user list is displayed.

Note: That CVE is real! Congrats to the DWF project, a newly minted CNA that operates with transparency and focuses on faster turnaround for CVE assignments. We're their very first assignment. *blush*