<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2114085292224199&amp;ev=PageView&amp;noscript=1">

Security Advisory: MapControl SQL Injection

Posted by David Chadwick - 08 August, 2019


MapControl SQL Injection

Release date: 29/07/2019

Last update: 29/07/2019

Vendor: IntraMaps

Vendor site: https://mapsolutions.com.au/intramaps/IntraMaps-Enterprise.aspx

Product: MapControl

Affected version(s): 8

Remediated version: 8.1

Severity Rating: High

Impact: Exposure of sensitive information

Attack vector: Remote without authentication

CVE: CVE-2019-13191

Details: It is possible to insert malicious SQL code into the application as an unauthenticated user. The parameter ‘mapKey’ in the Set page is vulnerable to SQL injection. The page is at the following location: https://<Host>/MapControl80/ApplicationEngine/Search/Refine/Set.

The following request is a proof of concept and will cause an SQL error:


Recommendation: Update to the latest patch.

Discovered by: David Chadwick from Content Security Pty. Ltd.

Recent Posts

Security Advisory: Footy Tipping Software Whitelisting Bypass

read more

Security Advisory: Footy Tipping Software Cross-site Scripting

read more

Three Types of Security Threats and How to Guard Against Them

read more