Security Issue 20101222-0700 Vulnerability Note
SQL Authentication Vulnerability
IntegraXor 3.6.4000.5 is now added with Read and Write level column to database table which allows user to configure security level for individual database entry. Now only user with security level higher than or equal to the read level can browse for trend and alarm data, and user with security level higher than or equal to the write level can acknowledge alarm. The credit for finding this vulnerability goes to Security Researcher from Virtual Security Research who has reported to ICS-CERT at 22nd December 2010.
Every database could have its own read and write level setting which associated to User level/privilege setting. Note that the default level for both read/write is nil which has no security, this is to ensure compatibility issue for previously developed project. User must manually enter higher level of security as per project requirement.
Along with this SQL authentication feature, we have also fit in the improvement done for Watch List – Now Watch Window could save user defined list created across session. And also server stability improvement. Lastly, debugging messages in status output will be hidden when debug mode is turned off.
Summary of Event
- 22-Dec-2010: ICS CERT Contacted IntegraXor support team. Technical report for the vulnerability is received.
- 27-Dec-2010: IntegraXor development team acknowledged the vulnerability.
- 11-Jan-2011: Security fixed is issued as official release for general download.
- 11-Jan-2011: Public announcement is made by IntegraXor support team.