The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of ArcGIS Web Server: SQL injection

Synthesis of the vulnerability

An attacker can use the REST interface of the ArcGIS web server, to inject SQL commands, in order to read or alter data.
Severity of this threat: 2/4.
Creation date: 12/11/2012.
Références of this weakness: BID-56474, CVE-2012-4949, NIM084249, VIGILANCE-VUL-12128, VU#795644.

Description of the vulnerability

The ArcGIS web server has a REST interface, which is reachable on port 6080/tcp, so that users can remotely query the service.

The "where" parameter of the "query" feature is used to filter queries. However, this parameter is not filtrered before being injected in a SQL query.

An attacker can therefore use the REST interface of the ArcGIS web server, to inject SQL commands, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

This weakness alert impacts software or systems such as ArcGIS ArcView, ArcGIS for Desktop, ArcGIS for Server.

Our Vigil@nce team determined that the severity of this computer vulnerability note is medium.

The trust level is of type confirmed by a trusted third party, with an origin of intranet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this security bulletin.

Solutions for this threat

ArcGIS 10.1 SP1: patch.
A patch is available:
  http://support.esri.com/en/downloads/patches-servicepacks/view/productid/66/metaid/1930

ArcGIS Web Server: workaround for SQL injection.
A workaround is to filter access to port 6080/tcp.

ArcGIS Server 10 SP5: patch.
A patch is available:
  http://support.esri.com/en/downloads/patches-servicepacks/view/productid/66/metaid/1932
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a software vulnerabilities note. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.