A tale of two SQLis at Avira

It has been a long time since we posted a security article. So here we go with two little SQL Injection vulnerabilites that we discovered in an AVIRA product roughly a year ago.

Avira is a very popular antivirus company and their free antivirus version is running a huge amount of devices. However, we did not focus on the software, but on their webbased “Managed Email Security” product.

While surfing around on their “Managed Email Security” website, we noticed that some parameters are not sanitized properly before being embedded in a SQL query. This lead to the following blind SQL Injections:

URL: https://ames.avira.com/?action=user_overview&user_id=133216
Parameter: user_id
PoC: user_id=133216'+and+'1'='1'+--+

URL: https://ames.avira.com/vnQuarantine.php?box=demo@demo-ames.com
Parameter: box
PoC: box=demo@demo-ames.com'+and+'1'='1

We notified Avira’s support (support [AT] avira.com) about these issues on the 7th of August 2013. They quickly forwarded the information to the correct department. We exchanged two more emails about a more detailed PoC and the impact of the bugs, but after a total of five days (12th of Agust 2013) the bug had been patched and a fix was pushed into production.

Unfortunately, Avira informed us, that hey’ve stopped to give away Swag for security issues. It seems like it’s still a long way until Avira will start a bug bounty, even though they have a resp. disc. program.

Nevertheless the communication with Avira was quite good.

The Team of Internetwache.org


AMES SQL Injection - Screenshot 1

AMES SQL Injection - Screenshot 2

AMES SQL Injection - Screenshot 3

AMES SQL Injection - Screenshot 4