Blind SQL injection vulnerability in WebADM UI

[Slava Tcherkacheninov]

Hi,

Nessus scanner identified "CGI Generic SQL Injection" vulnerability in the WebADM https port (WebADM v.2.0.8)

Here are some details from the scan:

Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The 'dn' parameter of the /admin/login_uid.php CGI :

/admin/login_uid.php?password=&login=1&dn=zz&login=1&dn=yy

-------- output --------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://w
ww.w3.org/TR/html4/loose.dtd"><!-- WebADM Free Edition, provided by RCDe
vs Security SA --><!-- Copyright 2010-2020 RCDevs Security (http://www.r
cdevs.com/), All rights reserved --><html><head><meta name="viewpo [...]


-------- vs --------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://w
ww.w3.org/TR/html4/loose.dtd"><!-- WebADM Free Edition, provided by RCDe
vs Security SA --><!-- Copyright 2010-2020 RCDevs Security (http://www.r
cdevs.com/), All rights reserved --><html><head><meta name="viewpo [...]

I was wondering if upgrading to the latest v.2.0.22 would resolve this issue or there are any other recommendations?

Thanks,

Slava.