VPASP shopexd.asp SQL Injection

2003-07-03T23:15:21
ID OSVDB:2248
Type osvdb
Reporter Bosen(mobile@bosen.net)
Modified 2003-07-03T23:15:21

Description

Vulnerability Description

VP-ASP contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "tbluser" variable in the "shopexd.asp" module is not verified properly and will allow an attacker to inject or manipulate SQL queries. An attacker is able to inject an arbitrary account with administrative privileges.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

VP-ASP contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "tbluser" variable in the "shopexd.asp" module is not verified properly and will allow an attacker to inject or manipulate SQL queries. An attacker is able to inject an arbitrary account with administrative privileges.

References:

Vendor URL: http://www.vpasp.com/ Other Advisory URL: http://bosen.net/releases/?id=41 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-07/0031.html ISS X-Force ID: 12506 CVE-2003-0560 Bugtraq ID: 8159