MaxWebPortal privatedelete.asp id Variable SQL Injection

2005-05-10T06:37:38
ID OSVDB:16517
Type osvdb
Reporter Soroush Dalili(irsdl@yahoo.com)
Modified 2005-05-10T06:37:38

Description

Vulnerability Description

MaxWebPortal contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the 'id' variable in the privatedelete.asp script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

MaxWebPortal contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the 'id' variable in the privatedelete.asp script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://www.maxwebportal.com/ Security Tracker: 1013932 Related OSVDB ID: 16514 Related OSVDB ID: 16518 Related OSVDB ID: 16519 Related OSVDB ID: 16510 Related OSVDB ID: 16512 Related OSVDB ID: 16508 Related OSVDB ID: 16509 Related OSVDB ID: 16511 Related OSVDB ID: 16513 Related OSVDB ID: 16515 Related OSVDB ID: 16507 Related OSVDB ID: 16516