Active Auction House sendpassword.asp Email Field SQL Injection

2005-04-05T10:32:51
ID OSVDB:15283
Type osvdb
Reporter Diabolic Crab(dcrab@hackerscenter.com)
Modified 2005-04-05T10:32:51

Description

Vulnerability Description

Active Auction House contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the Email field in the sendpassword.asp script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Active Auction House contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the Email field in the sendpassword.asp script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://www.activewebsoftwares.com/ Security Tracker: 1013649 Secunia Advisory ID:14839 Related OSVDB ID: 15281 Related OSVDB ID: 15282 Related OSVDB ID: 15285 Related OSVDB ID: 15284 Related OSVDB ID: 15286 Related OSVDB ID: 15287 Other Advisory URL: http://digitalparadox.org/advisories/aass.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0079.html