-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
Bitsec Security Advisory:  Agda Entré SQL Injection                  2008-11-21
===============================================================================

Application    Agda Entré
Vendor         Agda Lön AB - http://www.agda.se

Discovered by  Bosse Eriksson <bosse.eriksson@bitsec.com>
Researched by  Bosse Eriksson <bosse.eriksson@bitsec.com>

Reference      http://www.bitsec.com/en/rad/bsa-081121.txt
GPG Key        http://www.bitsec.com/labs.asc

Overview

  Agda Entré is a web front-end to the HR system Agda PS. This interface allows
  users to access certain features of Agda PS remotely from the internet or a
  company's intranet.

Problem

  A remotely exploitable SQL injection vulnerability exists in the Agda Entré
  application. When exploited the vulnerability allows an unauthenticated
  attacker to read arbitrary data from the system, e.g.: 

   * usernames
   * passwords
   * social security numbers
   * salaries

  An attacker may also manipulate information in various ways through the exact
  same vulnerability.

Exploit
 
  Exploiting this bug was not entirely straightforward, since the SQL injection
  is blind. However, since the underlying DBMS is Microsoft SQL Server, it was
  possible to perform reliable data tunneling through the DNS protocol and thus
  effectively retrieve data.

  Bitsec will not provide a proof-of-concept exploit for this vulnerability.
  However, a live demonstration of the PoC code is available upon request.

Fix

  The vendor has not provided a public fix for the vulnerability.

Disclosure Timeline

  2008-07-22 Notified Agda (David Sturk)
  2008-07-22 Received response from Agda
  2008-08-28 Proof-of-concept demonstration for Agda
  2008-09-25 No response from Agda, second attempt
  2008-09-29 Agda notified and given one month to publish a patch
  2008-11-21 Public release

===============================================================================
Bitsec Security Advisory:  Agda Entré SQL Injection                  2008-11-21
===============================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJJocUzx20c5GX95oRAkHeAKCIcuTAfV+Geovhc07ZuSTN+qrPNACaA8Th
oqFuYlaVNIsp1JKea6p02sY=
=dyaA
-----END PGP SIGNATURE-----