WebStore sign_in.aspx Password Variable SQL Injection

2007-07-27T00:00:00
ID OSVDB:36465
Type osvdb
Reporter Aria-Security Team()
Modified 2007-07-27T00:00:00

Description

Manual Testing Notes

http://[target]/[path]/sign_in.aspx

To demonstrate this issue, use a valid username, such as 'admin', in the Username field, and the following string for the password field of the vulnerable script:

anything' OR 'x'='x

References:

Secunia Advisory ID:26237 Other Advisory URL: http://outlaw.aria-security.info/?p=10 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-07/0339.html ISS X-Force ID: 35669 CVE-2007-4109 Bugtraq ID: 25112