A web app vulnerability detection tool has detected that IDACall is vulnerable to (LDAP) injection.
Does this vulnerability also affect SmartGWT?
If so, has a version corresponding to this vulnerability been released?
Or are there any plans to release it?
By the way, I am currently using SmartGWT 4.1.
【Normal】
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
isc_tnum=5&_transaction=<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance" xsi:type="xsd:Object">
<transactionNum xsi:type="xsd:long">5</transactionNum><operations xsi:type="xsd:List"><elem xsi:type="xsd:Object">
<appID>box_setting_connector</appID><className>BoxSettingDispatcher</className><methodName>getBoxDateSetting</methodName>
<arguments xsi:type="xsd:List"></arguments><is_ISC_RPC_DMI xsi:type="xsd:boolean">true</is_ISC_RPC_DMI></elem></operations>
</transaction>&protocolVersion=1.0
HTTP/1.1 200 OK
【Vulnerable】
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
isc_tnum=5&_transaction=<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance" xsi:type="xsd:Object">
<transactionNum xsi:type="xsd:long">5</transactionNum><operations xsi:type="xsd:List"><elem xsi:type="xsd:Object">
<appID>box_setting_connector</appID><className>BoxSettingDispatcher</className><methodName>getBoxDateSetting</methodName>
<arguments xsi:type="xsd:List">))(|(objectclass=*</arguments><is_ISC_RPC_DMI xsi:type="xsd:boolean">true</is_ISC_RPC_DMI>
</elem></operations></transaction>&protocolVersion=1.0
HTTP/1.1 200 OK
Does this vulnerability also affect SmartGWT?
If so, has a version corresponding to this vulnerability been released?
Or are there any plans to release it?
By the way, I am currently using SmartGWT 4.1.
【Normal】
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
isc_tnum=5&_transaction=<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance" xsi:type="xsd:Object">
<transactionNum xsi:type="xsd:long">5</transactionNum><operations xsi:type="xsd:List"><elem xsi:type="xsd:Object">
<appID>box_setting_connector</appID><className>BoxSettingDispatcher</className><methodName>getBoxDateSetting</methodName>
<arguments xsi:type="xsd:List"></arguments><is_ISC_RPC_DMI xsi:type="xsd:boolean">true</is_ISC_RPC_DMI></elem></operations>
</transaction>&protocolVersion=1.0
HTTP/1.1 200 OK
【Vulnerable】
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
isc_tnum=5&_transaction=<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance" xsi:type="xsd:Object">
<transactionNum xsi:type="xsd:long">5</transactionNum><operations xsi:type="xsd:List"><elem xsi:type="xsd:Object">
<appID>box_setting_connector</appID><className>BoxSettingDispatcher</className><methodName>getBoxDateSetting</methodName>
<arguments xsi:type="xsd:List">))(|(objectclass=*</arguments><is_ISC_RPC_DMI xsi:type="xsd:boolean">true</is_ISC_RPC_DMI>
</elem></operations></transaction>&protocolVersion=1.0
HTTP/1.1 200 OK
Comment