Outfront Spooky 2.x Login SQL Query Manipulation Password Vulnerability

2002-05-02T00:00:00
ID EDB-ID:21434
Type exploitdb
Reporter anonymous
Modified 2002-05-02T00:00:00

Description

Outfront Spooky 2.x Login SQL Query Manipulation Password Vulnerability. CVE-2002-1720. Webapps exploit for asp platform

                                        
                                            source: http://www.securityfocus.com/bid/4661/info

Spooky Login is a commerical web access control and account management software package. It is distributed and maintained by Outfront, and is designed for Microsoft IIS Webservers.

Under some circumstances, it may be possible for a remote user to gain unauthorized access to pages protected by Spooky Login. The problem is a SQL query manipulation vulnerability in the authentication component.

It is possible for remote attackers to corrupt the logic of queries such that a successful login will occur regardless of the supplied password. 

User: admin (this selects the first index from the table)
Password: ' OR ''='