MaxWebPortal search.asp andor Variable SQL Injection

2005-05-11T05:14:07
ID OSVDB:16504
Type osvdb
Reporter Zinho(zinho@hackerscenter.com)
Modified 2005-05-11T05:14:07

Description

Vulnerability Description

MaxWebPortal contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the 'andor' variable in the search.asp script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

MaxWebPortal contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the 'andor' variable in the search.asp script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://www.maxwebportal.com/ Related OSVDB ID: 16501 Related OSVDB ID: 16502 Related OSVDB ID: 16505 Related OSVDB ID: 16503 Related OSVDB ID: 16506 Other Advisory URL: http://www.hackerscenter.com/archive/view.asp?id=2542 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0122.html ISS X-Force ID: 20562 CVE-2005-1562 Bugtraq ID: 13601