Hosting Controller IISManagerDB.asp Search Field SQL Injection

2005-07-12T05:45:31
ID OSVDB:17901
Type osvdb
Reporter Soroush Dalili(irsdl@yahoo.com)
Modified 2005-07-12T05:45:31

Description

Vulnerability Description

Hosting Controller contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'IISManagerDB.asp' script not properly sanitizing user-supplied input to the 'search' field. This may allow an authenticated remote attacker to inject or manipulate SQL queries in the backend database.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Advanced Communications has released a patch to address this vulnerability.

Short Description

Hosting Controller contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'IISManagerDB.asp' script not properly sanitizing user-supplied input to the 'search' field. This may allow an authenticated remote attacker to inject or manipulate SQL queries in the backend database.

References:

Vendor URL: http://hostingcontroller.com Security Tracker: 1014468 Secunia Advisory ID:15975 Related OSVDB ID: 17899 Related OSVDB ID: 17900 Related OSVDB ID: 17902 Related OSVDB ID: 17905 Related OSVDB ID: 17903 Related OSVDB ID: 17904 Nessus Plugin ID:19194 Bugtraq ID: 14283