{"vuid":"VU#795644","idnumber":"795644","name":"Esri ArcGIS server 10.1 contains a blind SQL injection vulnerability","keywords":["esri","arcgis","sqli","cwe-89"],"overview":"Esri's ArcGIS server version 10.1 contains a blind SQL injection vulnerability that allows remote attackers to execute a subset of SQL commands via a query operation where clause.","clean_desc":"The Esri ArcGIS server version 10.1 contains a blind SQL injection vulnerability (CWE-89) for REST service queries. The where form field when constructing a query does not properly sanitize SQL commands from the input. Proof-of-Concept: http://<FQDN/IP>:6080/arcgis/rest/services/<SERVICE WITH QUERY SUPPORT>/query?f=json&where=featured%3Dtrue&returnGeometry=true&spatialRel=esriSpatialRelIntersects","impact":"A remote authenticated attacker may be able to run a subset of SQL commands against the back-end database.","resolution":"Apply an Update Esri released an update to ArcGIS Server 10.1 Service Pack 1. If you cannot patch, please consider the following workarounds.","workarounds":"Disable the query The query operation may be disabled via ArcGIS Manager for each service. Restrict access As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent SQLi attacks since the attack comes as an SQL request from a legitimate user's host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.","sysaffected":"","thanks":"Thank you to the reporter that wishes to remain anonymous.","author":"This document was written by Jared Allar.","public":["http://support.esri.com/en/downloads/patches-servicepacks/view/productid/66/metaid/1930","http://support.esri.com/en/knowledgebase/techarticles/detail/40665","http://www.esri.com/software/arcgis/arcgisserver","http://support.esri.com/en/downloads/patches-servicepacks","http://cwe.mitre.org/data/definitions/89.html"],"cveids":["CVE-2012-4949"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2012-09-14T13:49:53Z","publicdate":"2012-10-29T00:00:00Z","datefirstpublished":"2012-11-09T21:02:03Z","dateupdated":"2012-11-19T16:05:27Z","revision":32,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"P","cvss_availabilityimpact":"P","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"6.5","cvss_basevector":"AV:N/AC:L/Au:S/C:P/I:P/A:P","cvss_temporalscore":"5.9","cvss_environmentalscore":"4.4","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}