all InfoSec news
Contec CONPROSYS HMI System (CHS) Unauthenticated SQLi
March 31, 2023, 2:51 p.m. | Nick Miles
Tenable Research Advisories www.tenable.com
There is an SQL injection vulnerability in Contec CONPROSYS HMI System (CHS) 3.5.1. An unauthenticated remote attacker can exploit it to enumerate a CHS database.
CHS logs login attempts to the dbo.m_user_login table in a PostgreSQL database:
from: auth_login.php
<...snip...>
$v = d5::v(); // get client IP address
if ($l != null) {
$p = ad(time());
$q = new d5($i, null, null, 'dbo.m_user_login');
try {
$q->_a(_S34_, "'" . $o . "','" . $l->l …
chs client contec database exploit hmi injection login login attempts logs php postgresql sql sqli sql injection system vulnerability
More from www.tenable.com / Tenable Research Advisories
Arcserve Unified Data Protection 9.2 Multiple Vulnerabilities
1 month, 2 weeks ago |
www.tenable.com
Jobs in InfoSec / Cybersecurity
Social Engineer For Reverse Engineering Exploit Study
@ Independent study | Remote
Offensive Security Engineer
@ Ivanti | United States, Remote
Senior Security Engineer I
@ Samsara | Remote - US
Senior Principal Information System Security Engineer
@ Chameleon Consulting Group | Herndon, VA
Junior Detections Engineer
@ Kandji | San Francisco
Data Security Engineer/ Architect - Remote United States
@ Stanley Black & Decker | Towson MD USA - 701 E Joppa Rd Bg 700