Full Disclosure

AirWatch Self Service Portal Username Parameter LDAP Injection

April 4, 2017 007admin Leave a comment

Posted by Patrick Webster via Fulldisclosure on Apr 04

https://www.osisecurity.com.au/airwatch-self-service-portal-username-parameter-ldap-injection.html

Date:
04-Apr-2017

Product:
AirWatch Self Service MDM

Versions affected:
v6.1.x
v6.4.x

Vulnerability:
LDAP injection

Example:
https://[target]/DeviceManagement/ URL accepts the following
POST parameters:

AuthenticationMode
ActivationCode
Username
Password
Login

The ‘Username’ parameter appears to be vulnerable to an LDAP injection…

Leave a Reply Cancel reply

You must be logged in to post a comment.

Software and Security Information