Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: bt648.txt

Mail System Ver. 0.9 Beta CGI:

ZH2003-10SA (security advisory): Mail System Ver. 0.9 Beta.

Published: 16/07/2003

Released: 16/07/2003

Name: Mail System Ver. 0.9 Beta

Affected Systems: All versions (?)

Issue: Remote attackers can view all messages (and sql injection 





Zone-h Security Team has discovered a serious security flaw in Mail System 

Ver. 0.9 Beta.

This is a simple internal mail system, originaly developed for an intranet 




Mail System Ver. 0.9 Beta is a simple internal mail system in ASP. 

It's possible to retrieve all messages from it. 

Everyone can download the database at the following url:

Moreover there is a sql injection vulnerability in the login 

authentication form.

It's located at:

>From there it's possible to login with these strings:

Login name: ' or 'a'='a

Password: ' or 'a'='a



The vendor has been contacted and a patch is not yet produced



Protect the message file, rewrite the login procedure. 

G00db0y - admin

Original advisory here:

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH