MaxWebPortal password.asp memKey Variable SQL Injection

2005-05-24T07:30:10
ID OSVDB:16847
Type osvdb
Reporter Soroush Dalili(irsdl@yahoo.com)
Modified 2005-05-24T07:30:10

Description

Vulnerability Description

MaxWebPortal contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'memKey' variable in the 'password.asp' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

MaxWebPortal contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'memKey' variable in the 'password.asp' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://www.maxwebportal.com/ Security Tracker: 1014048 Secunia Advisory ID:15511 ISS X-Force ID: 20772 Generic Exploit URL: http://www.securiteam.com/exploits/5QP0L1PFPO.html CVE-2005-1779 Bugtraq ID: 13762