CVE-2018-7282
published 2019-12-06CVE-2018-7282: The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi.
PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
10.10%
95.1th percentile
The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| titool | printmonitor | < pm18.2.1 | pm18.2.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandusername={{username}}')+OR+4191=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(50000000/2))))--+vDwl&password={{password}}&language=en↗
- →Monitor POST requests to /login.php with a username parameter containing SQLite time-based blind SQLi payloads, specifically patterns using RANDOMBLOB, HEX, UPPER, and LIKE functions. ↗
- →Detect TITool PrintMonitor login endpoints exposed on the internet via Shodan query title:"PrintMonitor" or FOFA query title="printmonitor". ↗
- →A response duration >= 6 seconds on a POST to /login.php returning HTTP 200 with body containing 'PrintMonitor' and Content-Type text/html is a strong indicator of successful time-based blind SQLi exploitation. ↗
- →The attack is unauthenticated (no prior session required) and targets the username parameter in the login request body with Content-Type application/x-www-form-urlencoded. ↗
- ·The time-based detection threshold is set to 6 seconds; tuning may be required depending on network latency between the scanner and the target to avoid false positives or false negatives. ↗
- ·The SQLi payload uses SQLite-specific functions (RANDOMBLOB, HEX, UPPER, LIKE), indicating the backend database is SQLite; detection rules should be scoped accordingly. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4p5m-mv2p-frm5: The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi
ghsa_unreviewed·2022-05-24
CVE-2018-7282 [CRITICAL] CWE-89 GHSA-4p5m-mv2p-frm5: The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi
The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi.
VulnCheck
titool printmonitor Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2018·CVSS 9.8
CVE-2018-7282 [CRITICAL] titool printmonitor Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
titool printmonitor Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi.
Affected: titool printmonitor
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://viz.greynoise.io/tags/titool-printmonitor-sql-injection-cve-2018-7282-sqli-attempt
Red Hat
netkit-rsh: rcp access restriction bypass
vendor_redhat·2021-11-19·CVSS 5.3
CVE-2019-7282 [MEDIUM] CWE-281 netkit-rsh: rcp access restriction bypass
netkit-rsh: rcp access restriction bypass
In NetKit through 0.17, rcp.c in the rcp client allows remote rsh servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side. This is similar to CVE-2018-20685.
A vulnerability was found in rsh. The vulnerability occurs due to bypass restrictions via the filename of [.] or an empty filename. This flaw allows an attacker to modify the permissions of the target directory on the client-side.
Statement: Red Hat Enterprise Linux 6 and 7 were affected but Out of Support Scope.
https://access.redhat.com/support/policy/updates/errata/
Package: rsh (Red Hat Enterprise Linux 6) - Out of support scope
Package: rsh (Red Hat Enterprise Linux 7
Red Hat
krb5-appl: Improper directory name validation allows malicious server to bypass access restrictions
vendor_redhat·2021-02-02·CVSS 5.3
CVE-2019-25018 [MEDIUM] CWE-863 krb5-appl: Improper directory name validation allows malicious server to bypass access restrictions
krb5-appl: Improper directory name validation allows malicious server to bypass access restrictions
In the rcp client in MIT krb5-appl through 1.0.3, malicious servers could bypass intended access restrictions via the filename of . or an empty filename, similar to CVE-2018-20685 and CVE-2019-7282. The impact is modifying the permissions of the target directory on the client side. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.
Package: krb5-appl (Red Hat Enterprise Linux 6) - Out of support scope
No detection rules found.
Nuclei
TITool PrintMonitor - Blind SQL Injection
nuclei·CVSS 9.8
CVE-2018-7282 [CRITICAL] TITool PrintMonitor - Blind SQL Injection
TITool PrintMonitor - Blind SQL Injection
The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi.
Template:
id: CVE-2018-7282
info:
name: TITool PrintMonitor - Blind SQL Injection
author: theamanrawat
severity: critical
description: |
The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi.
impact: |
Unauthenticated attackers can execute time-based blind SQL injection to extract database contents, potentially compromising user credentials and sensitive printing data.
remediation: Upgrade to PM18.2.1.
reference:
- https://fenceposterror.github.io/cve-2018-7282.txt
- https://nvd.nist.gov/vuln/detail/CVE-2018-7282
- http://print.com
- http://
2019-12-06
Published
Exploited in the wild