Confixx change user Field SQL Injection

2005-04-25T10:57:19
ID OSVDB:15815
Type osvdb
Reporter Erich Klaus(DR.erich@gmx.net)
Modified 2005-04-25T10:57:19

Description

Vulnerability Description

Confixx contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'change user' field in the 'Reseller Interface' not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Confixx contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'change user' field in the 'Reseller Interface' not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.

Manual Testing Notes

From Reseller interface (logged in with reseller's privileges): Enter '# in the "change user" field.

References:

Vendor URL: http://www.sw-soft.com/en/products/confixx/ Secunia Advisory ID:15121 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0394.html Bugtraq ID: 13355