Trend Micro Control Manager GetPassword() SQLi
High Nessus Plugin ID 110766
SynopsisA web application running on the remote host is affected by an SQLi vulnerability.
DescriptionThe Trend Micro Control Manager running on the remote host is affected by an SQLi vulnerability when processing an HTTP request due to the lack of proper validation of a user-supplied string before using it to construct SQL queries. An unauthenticated, remote attacker can exploit this issue, via a specially crafted HTTP request, to execute code under the context of the Network Service account.
Note that Trend Micro Control Manager is reportedly affected by additional vulnerabilities; however, this plugin has not tested for these.
SolutionUpgrade to Trend Micro Control Manager version 6.0 build 3748 / 7.0 or later.
Note that version 6.0 build 3748 requires version 6.0 SP3 Patch 3 as a prerequisite.