S4E

CVE-2018-11511 Scanner

CVE-2018-11511 Scanner - SQL Injection vulnerability in ASUSTOR ADM

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

9 days 7 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

ASUSTOR ADM is software used predominantly for managing NAS devices, catering to both private and enterprise storage solutions. This network-attached storage system software allows users to back up, sync, and share data from centralized data storage remotely and securely. ASUSTOR ADM is utilized by various sectors for efficient data management, ensuring data's security and accessibility. Featuring a user-friendly interface, it is ideal for those who need a comprehensive and manageable storage solution. Many enterprises leverage ASUSTOR ADM for its great balance between functionality, cost, and user control. The flexibility of its setup options adapts well to growing storage needs within an organization.

SQL Injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows for unauthorized viewing of data, which could lead to further attacks on the system. The vulnerability detected in ASUSTOR ADM allows attackers to execute arbitrary SQL commands in the database. It can be exploited through the manipulation of the 'album_id' parameter in the endpoint '/photo-gallery/api/album/tree_lists/'. Successful compromise could lead to considerable information exposure or even system takeover. Such vulnerabilities are critical due to their potential impact and exploitability.

Technical details of the vulnerability involve specifically crafted payloads submitted to ASUSTOR ADM's endpoint. Attackers can manipulate the 'album_id' parameter to inject harmful SQL code using the SQL Sleep function or logical operations for verification. If a vulnerable parameter accepts unsanitized input, attackers can alter SQL queries executed by the backend database server. The check evaluates the delay in response time and verification of error messages or rich expected outputs post-injection. This kind of parameter tampering illustrates a typical blind SQL injection vector. Strategic injection points in ASUSTOR ADM could further empower attackers to execute queries on its database backend without prior authorization.

Possible effects when this vulnerability is exploited include unauthorized access to sensitive data, such as user credentials or financial information. Once the database structure is accessed, it is possible to extract data or even make unauthorized alterations to it. Further malicious activity may involve corrupting data, installing a backdoor, or using the gained control to its full advantage in a cyber-espionage scheme. Such SQL injections could also be stepping stones to command execution depending on the database server's configuration and privileges. Data breaches due to SQL injection can lead to long-term reputational harm and financial losses for the affected organization.

REFERENCES

Get started to protecting your digital assets