Trend Micro Control Manager AdHocQuery_Processor.aspx id Parameter SQL Injection
Medium Nessus Plugin ID 62628
SynopsisThe remote Windows host has a web application that is affected by a SQL injection vulnerability.
DescriptionTrend Micro Control Manager, a centralized threat and data protection management application, is installed on the remote Windows host and is potentially affected by a SQL injection vulnerability because the application fails to properly sanitize user-supplied input to the 'id' parameter of the AdHocQuery_Processor.aspx script.
By exploiting this flaw, a remote, authenticated attacker, could launch a SQL injection attack against the affected application, leading to the discovery of sensitive information, attacks against the underlying database, and the like.
SolutionCritical Patch - Build 1823 is available for Trend Micro Control Manager 5.5. Critical Patch - Build 1449 is available for Trend Micro Control Manager 6.0. If you are using an older version, upgrade to either 5.5 or 6.0 and apply the relevant patch.