DUclassified Admin Page user Parameter SQL Injection

2004-10-12T00:42:46
ID OSVDB:10668
Type osvdb
Reporter Soroush Dalili(irsdl@yahoo.com)
Modified 2004-10-12T00:42:46

Description

Vulnerability Description

DUclassified contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "user" variable in the admin page is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

DUclassified contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "user" variable in the admin page is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Manual Testing Notes

http://[victim]/DUclassified/admin/user= admin' or '1'='1

References:

Vendor URL: http://www.duware.com/products/detail.asp?iPro=19&iCat=9&nCat=Ad%20Management Security Tracker: 1011596 Related OSVDB ID: 10669 ISS X-Force ID: 17685 CVE-2004-2202 Bugtraq ID: 11363