Vulnerability: Blind SQL injection in SEARCH_ALL parameter (multipleĬonstraints: authentication needed (guest / low privileged user account)Īffected versions: Unknown, at least v7 build 7001 to vX build XXXĪffected versions: Unknown, at least v6. This can be achieved by injecting the following queries: "updateĪaaAuthorizedRole set role_id=1 where account_id= insert intoĪ Metasploit module has been released that creates a new "SuperĪdministrator" account and exports PMP's password database in CSVįormat. Has access to all the passwords in the system in unencrypted format. However the injection can be abused in creative ways - for example toĮscalate the current user privileges to "Super Administrator", which
#Password manager pro api code#
These two unintended "protections" make it difficult toĮxploit the injection to achieve remote code execution. In addition, injected strings are all modified to Injection point, but this can be somewhat avoided by double escaping Single quotes are escaped with backslashes at the The application uses different database backends by default dependingĦ.8 use PostgreSQL.
User account is required to exploit the injection, however a low PMP has a SQL injection vulnerability in its search function. Shared sensitive information such as passwords, documents and digital Password Depot reliably protects your passwords and documents from unauthorized access Whether you work at home or in a major corporation. "Password Manager Pro (PMP) is a secure vault for storing and managing A copy of this advisory canĪuthenticated blind SQL injection in Password Manager Pro / Pro MSPĭiscovered by Pedro Ribeiro (pedrib () gmail com), Agile Information Security
#Password manager pro api full#
Proposed for merging and hopefully should be integrated in the nextĭetails and full advisory text is below. I have also produces a Metasploit module that performs the injection,Įscalates privileges and dumps the password database. It actually took them less than a month to fix it Unlike in part 6, this time ManageEngine have been responsible and Using our new powers we can thenĭump the whole password database in cleartext.
Today we have a blind SQL injection in Password Manager Pro (PMP) thatĬan be abused to escalate privileges for a low privileged user (like a This is part 7 of the ManageOwnage series.
By Thread : Super admin privesc + password DB dump in Password Manager Pro
0 kommentar(er)
