Important: CSWorks security release 2.5.5233.0
Date: May 8, 2014
Subject: SQL injection vulnerability in CSWorks LiveData Service
Versions: 2.5.5050.0 and earlier
Summary: Remote attackers can achieve remote code execution on the server running CSWorks LiveData Service via SQL injection on.
CSWorks LiveData Service 2.5.5050.0 and earlier allows remote attackers to perform SQL injection via CSWorks LiveData web API and achieve remote code execution using mySQL "INTO OUTFILE" feature.
When using SQL database as CSWorks data source, make sure CSWorks is using the database engine account that does not allow perform actions that go beyond the scope of CSWorks LiveData operations - selecting and updating records in specific SQL tables. Under no circumstances should administrators give root access to CSWorks. Also, administrators should not allow unauthorized users to access CSWorks web API.
CSWorks 2.5.5233.0 has been issued as security release to correct the defect. CSWorks administrators running affected versions are advised to (in the order of importance):
- verify CSWorks LiveData Service SQL database settings;
- verify CSWorks web API access policy;
- upgrade to 2.5.5233.0 (available at CSWorks web site http://www.controlsystemworks.com/DownloadDescription.aspx).
The vulnerability was reported by John Leitch working with HP Zero Day Initiative