S-189: SQL Injectionin Cisco Unified Communications Manager

02-15-2008

Registered User

26,240, 27

Join Date: Sep 2000

Last Activity: 1 August 2008, 3:09 PM EDT

Posts: 26,240

Thanks Given: 0

Thanked 27 Times in 26 Posts

S-189: SQL Injectionin Cisco Unified Communications Manager

Cisco Unified Communications Manager is vulnerable to a SQL Injection attack in the parameter key of the admin and user interface pages. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The risk is LOW. An authenticated attacker may be able to exploit this vulnerability to extract records from the Cisco Unified Communications Manager database. A successful attack might retrieve sensitive data such as user names, passwords hashes, and information from call records. An attacker cannot use this vulnerability to alter or delete call record information from the database.

More...

Linux Bot

View Public Profile for Linux Bot

Find all posts by Linux Bot

oar-database(1) OAR commands oar-database(1) NAME
oar-database - create/initialize/upgrade/reset/drop the oar database SYNOPSIS
oar-database --create [OPTIONS] oar-database --drop [OPTIONS] oar-database --setup [OPTIONS] oar-database --reset [OPTIONS] DESCRIPTION
Manage the oar database. --setup Initialize/Upgrade an existing database. --reset Reset an existing database. --create Create and initialize a new database/user. --drop Drop an existing database/user. OPTIONS
General parameters --conf=OAR_CONF_FILE Define the oar configuration file to use. By default /etc/oar/oar.conf is used. This file doesn't exist, the default parameters for each value are used. --update-conf The database parameters given in the command line are writen to the OAR_CONF_FILE -h,--help Display this help. -d,--debug Display more information during the script execution -f,--force-sql Force to resume the execution even if an sql instruction fails -y,--force-yes This option will cause oar-database to continue without prompting if it is doins something potentially harmful Database admin parameters These parameters are only needed for database/user creation or removing. --db-is-local For --create or --drop, this option tells that the database is local. oar-database can use local admin account to execute command (useful for postgres). --db-admin-user=DB_ADMIN_USER For --create or --drop, this option gives the privilegied user to use. --db-admin-pass=DB_ADMIN_PASS For --create or --drop, this option gives the privilegied user pass to use. SQL parameters By default, if not specified, all the sql parameters are taken from the OAR_CONF_FILE. It is preferable to set these values directly to this file. --db-type=DB_TYPE The type of the SQL database. It can be currently, mysql or Pg (for postgresql). --db-user=DB_USER Connect to the database as the user DB_USER instead of the one given in OAR_CONF_FILE. By default, if OAR_CONF_FILE doesn't specify a user, it is oar. --db-pass=DB_PASS Connect to the database with the password DB_PASS instead of the one given in OAR_CONF_FILE. --db-host=DB_HOST Connect to the database on the host DB_HOST, By default, if OAR_CONF_FILE doesn't specify a host, it is localhost. --db-port=DB_PORT Connect to the database on the port DB_PORT, By default, if OAR_CONF_FILE doesn't specify a port, the value depend on the DB_TYPE. if DB_TYPE is mysql, DB_PORT is 3306. If DB_TYPE is postgresql, DB_PORT is 5432. --db-name=DB_NAME Connect to the database on the host DB_HOST, By default, if OAR_CONF_FILE doesn't specify a database name, it is oar. --db-ro-user=DB_RO_USER same as --db-user except that it is for the read only access. --db-ro-pass=DB_RO_PASS same as --db-pass except that it is for the read only access. EXAMPLES
Mysql First you need to specify the sql parameters in /etc/oar/oar.conf. These parameters will be used by oar-database. To create a new database (assuming that the sql root password is PASS): oar-database --create --db-admin-user root --db-admin-pass PASS To upgrade an existing database: oar-database --setup Postgresql First you need to specify the sql parameters in /etc/oar/oar.conf. These parameters will be used by oar-database. Then if your postgresql database is on the local system, you can use the option --db-is-local (otherwise, the procedure is the same as Mysql). So oar-database will use the postgres unix user to administrate the database (you need privilegied access to the local system). To create a new database: oar-database --create --db-is-local To upgrade an existing database: oar-database --setup Advanced usages To make some tests or to administrate several databases, you can also specify the sql parameters on the command line. For example: oar-database --create --db-type=Pg --db-host=HOST --db-user=oar --db-pass=PASS --db-admin-user=ADMIN_USER --db-admin-pass=ADMIN_PASS will create the oar database and the oar user on the postgresql system hosted by HOST. The user ADMIN_USER must have the right to create new databases and new roles on this system. FILES
/usr/lib/oar/database/mysql_structure.sql, /usr/lib/oar/database/pg_structure.sql SQL instructions for creating the structure of the oar database. /usr/lib/oar/database/mysql_default_admission_rules.sql, /usr/lib/oar/database/pg_default_admission_rules.sql SQL instructions for inserting the default admission rules in the oar database. /usr/lib/oar/database/default_data.sql SQL instructions for inserting the default data in the oar database. /usr/lib/oar/database/mysql_reset_structure.sql, /usr/lib/oar/database/pg_reset_structure.sql SQL instruction for emptying an existing oar database. /usr/lib/oar/database/mysql_structure_upgrade_*.sql, /usr/lib/oar/database/pg_structure_upgrade_*.sql SQL instructions for upgrading an existing database. oar-database 2012-06-26 oar-database(1)

Security Advisories (RSS)

S-189: SQL Injectionin Cisco Unified Communications Manager

LEARN ABOUT DEBIAN

oar-database