Jan 23, 2022
There are hard-coded credentials present in SolarWinds Web Help Desk. Through these credentials an attacker could be allowed to execute arbitrary HQL queries against the database.
This vulnerability allows an attacker to execute Hibernate SQL queries against the database models defined in the source code. As a result, an attacker could read the password hashes of the users registered in Web Help Desk, including administrator password hashes.
In addition to reading sensitive information from the database, other SQL operations such as INSERT/UPDATE/DELETE were also possible, as long as a Hibernate model existed for the database tables, in the code base.
Web Help Desk 188.8.131.5242
Solarwinds Web Help Desk lets you manage all end-user trouble tickets and track service request lifecycle, from ticket creation to resolution, from one centralized help desk management web interface.
Web Help Desk simplifies help desk ticketing, IT asset management and end-user support.
You can read Solarwind’s advisory here.
HTTP request which allows an attacker to run an arbitrary HSQL query:
This will return the following:
Cookie are not necessary/can be forged to execute this attack without any authentication.
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Assetnote Security Research Team
The timeline for this disclosure process can be found below: