Software Engineering Institute

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2016-6566

According to the reporter, the valueAsString parameter inside the JSON payload contained by the ucLogin_txtLoginId_ClientStat POST parameter is not properly validated. An unauthenticated remote attacker may be able to modify the POST request and insert a SQL query which may then be executed by the backend server. According to the reporter, eTRAKiT 3.2.1.17 was tested, but other versions may also be vulnerable.

A remote unauthenticated attacker may be able to run a subset of SQL commands against the back-end database.

Apply a patch

Sungard has provided the following statement:

SunGard Public Sector appreciates that this issue has been brought to our attention.   Our development team has addressed this report with a patch release.  Please contact the SunGard Public Sector TRAKiT Solutions division to request the patch release.  (858) 451-3030.

However, affected users may also consider the following workaround:

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent SQLi attacks since the attack comes as an SQL request from a legitimate user's host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.