[WT-4999] Blind SQL Injection - Workterra Jira

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Done
Affects Version/s: None
Fix Version/s: None
Component/s: Platform
Labels:
None

Environment:

Production
Module:
BenAdmin - Security
Reported by:
Support
Item State:
Production Complete
Issue Importance:
Must Have

Description

Praetorian initially detected a SQL injection vulnerability after submitting a variety of malicious input
parameters to the GetEmployees endpoint. Praetorian used SQL injection payloads that caused the
application to demonstrate a noticeable difference in response time depending on the results of the
provided SQL query.

Page Name: Search Employee

Information Recovered:
SQL Server version number, Database version, Server name

System should not disclose this information to user.

Attachments

Activity

Transition	Time In Source Status	Execution Times

Vijayendra Shinde (Inactive) made transition - 22/Sep/16 09:25 AM

Open

In Development

1m 42s

Rakesh Roy (Inactive) made transition - 22/Sep/16 10:40 AM

In Development

In LB Testing

1h 15m

Rakesh Roy (Inactive) made transition - 22/Sep/16 10:40 AM

In LB Testing

Stage Testing

Rakesh Roy (Inactive) made transition - 27/Sep/16 06:57 AM

Stage Testing

In Production Testing

4d 20h 17m

Prasad Pise (Inactive) made transition - 30/Sep/16 05:59 AM

In Production Testing

Production Complete

2d 23h 1m

Prasad Pise (Inactive) made transition - 30/Sep/16 05:59 AM

Production Complete

Closed

People

Assignee:: Prasad Pise (Inactive)

Reporter:: Vijayendra Shinde (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 22/Sep/16 09:23 AM

Updated:: 04/Nov/17 06:35 AM

Resolved:: 30/Sep/16 05:59 AM