OSVDB ID: 86020

Title: Sinapsi eSolar Light Photovoltaic System Monitor dettagliinverter.php inverterselect Parameter SQL Injection

Info

Disclosure

Sep 12, 2012

Discovery

Aug 27, 2012

Dates

Exploit

Sep 12, 2012

Solution

Unknown

Description

Sinapsi eSolar Light Photovoltaic System Monitor contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the dettagliinverter.php script not properly sanitizing user-supplied input to the 'inverterselect' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Solution Unknown
Exploit: Exploit Public
Disclosure: No Vendor Response
OSVDB: SCADA

Solution

OSVDB is not aware of a solution for this vulnerability.

Products

Schneider Electric

Ezylog Photovoltaic Management Server

Unspecified

References

CVE ID: 2012-5861 (see also: NVD)
Exploit Database: 21273
Secunia Advisory ID: 51364
ISS X-Force ID: 80201
Related OSVDB ID: 86019 86021 86022
News Article: http://arstechnica.com/security/2012/10/solar-panel-control-systems-vulnerable-to-hacks/
http://betabeat.com/2012/10/researchers-discover-software-controlling-solar-power-plants-is-totally-hackable/
Vendor Specific Advisory URL: http://download.schneider-electric.com/files?L=en&p=&p_docId=&p_docId=&p_Reference=SEVD-2012-289-01A&p_EnDocType=Technical%20paper&p_File_Id=28913178&p_File_Name=SEVD-2012-289-01A-Ezylog.pdf
http://www.downloads.schneider-electric.com/sites/oreo/ww/document-detail.page?p_docId=28747522&p_Conf=i
http://www2.schneider-electric.com/corporate/en/support/cybersecurity/viewer-news.page?c_filepath=/templatedata/Content/News/data/en/local/cybersecurity/general_information/2012/12/20121206_advisory_of_vulnerability_affecting_ezylog_monitoring_product_.xm
Vendor URL: http://www.schneider-electric.com/site/home/index.cfm/us/
Other Advisory URL: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-284-01.pdf
http://www.us-cert.gov/control_systems/pdf/ICSA-12-325-01.pdf
Vendor Specific News/Changelog Entry: http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/86020