Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: b06-2737.htm

myNewsletter 1.1.2 SQL_Injection



- myNewsletter 1.1.2 SQL_Injection
- myNewsletter 1.1.2 SQL_Injection



[KAPDA::#47] - myNewsletter 1.1.2 SQL_Injection=0D
=0D
SQL_Injection=0D
=0D
-------=0D
=0D
KAPDA New advisory=0D
=0D
Vulnerable products : myNewsletter <= 1.1.2=0D
Vendor: http://www.aspburst.com/index.asp=0D 
Risk: Medium=0D
Vulnerability: SQL_Injection=0D
=0D
Date :=0D
--------------------=0D
Found : 2006/06/05=0D
Vendor Contacted : 2006/06/06=0D
Release Date : 2006/06/06=0D
=0D
Discussion :=0D
----------------=0D
At parameter named 'UserName' in "validatelogin.asp" or "adminlogin.asp", Attacker can enter SQL command to login to the system.=0D
=0D
Proof of Concepts:=0D
--------------------=0D

KAPDA myNewsletter 1.1.2 Login bypass PoC


change action in source and then submit=0D
=0D">action="http://www.site.com/newsletter/adminLogin.asp">=0D =0D =0D



=0D =0D
www.kapda.ir
=0D">href="http://www.kapda.ir">www.kapda.ir=0D
=0D =0D =0D Solution:=0D --------------------=0D Nothing yet by vendor .=0D =0D Our solution :=0D =0D in 'validatelogin.asp' :=0D =0D function validateLogin(theUserName, thePassword)=0D sqlString = "Select Password from Newsletter_Admin Where UserName = '" &theUserName& "'"=0D =0D change to this :=0D =0D function validateLogin(theUserName, thePassword)=0D theUserName = replace(theUserName,"'","''")=0D sqlString = "Select Password from Newsletter_Admin Where UserName = '" &theUserName& "'"=0D =0D Original Advisory:=0D --------------------=0D http://www.kapda.ir/advisory-340.html=0D =0D Credit :=0D --------------------=0D FarhadKey of KAPDA=0D farhadkey [at} kapda {d0t} net=0D Kapda - Security Science Researchers Insitute of Iran=0D http://www.KAPDA.ir


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH