Vigil@nce - ArcGIS Web Server: SQL injection
November 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use the REST interface of the ArcGIS web server,
to inject SQL commands, in order to read or alter data.
– Impacted products: ArcGIS ArcView, ArcGIS for Desktop
– Severity: 2/4
– Creation date: 12/11/2012
DESCRIPTION OF THE VULNERABILITY
The ArcGIS web server has a REST interface, which is reachable on
port 6080/tcp, so that users can remotely query the service.
The "where" parameter of the "query" feature is used to filter
queries. However, this parameter is not filtrered before being
injected in a SQL query.
An attacker can therefore use the REST interface of the ArcGIS web
server, to inject SQL commands, in order to read or alter data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/ArcGIS-Web-Server-SQL-injection-12128