Sabre AirCentre Crew 'cwplogin. aspx 'Multiple SQL Injection Vulnerabilities

Sabre AirCentre Crew 'cwplogin. aspx 'Multiple SQL Injection Vulnerabilities

Release date:
Updated on:

Affected Systems:
Sabre AirCentre Crew 2010.2.12.20008
Description:
--------------------------------------------------------------------------------
Bugtraq id: 68899
CVE (CAN) ID: CVE-2014-4858
 
Sabre AirCentre Crew is a group of solutions that allow airlines to efficiently plan and manage the operations of Crew members. From planning and bidding to scheduling and matching, Sabre AirCentre Crew allows airlines to effectively plan their Crew operations and consider Crew training and qualification requirements.
 
AirCentre Crew 2010.2.12.20008 and other versions do not effectively filter CWPLogin. the username and password fields of aspx have the SQL injection vulnerability. Remote attackers can exploit this vulnerability to bypass authentication and access the system as an administrator.
 
<* Source: Youssef Manar

Link: http://secunia.com/advisories/60532/
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Sabre
-----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
 
Http://www.sabreairlinesolutions.com/home/software_solutions/product/crew_management/

This article permanently updates the link address: