thePHOTOtool login.asp Password Field SQL Injection

2004-01-30T00:00:00
ID OSVDB:6727
Type osvdb
Reporter Mr Serbia(serbian_sniper@hotmail.com)
Modified 2004-01-30T00:00:00

Description

Vulnerability Description

thePHOTOtool contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the login variable in the login.asp module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

thePHOTOtool contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the login variable in the login.asp module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://www.thephototool.com/ Security Tracker: 1008906 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-02/0003.html ISS X-Force ID: 15007 Generic Exploit URL: http://packetstormsecurity.nl/0401-exploits/phototool.txt CVE-2004-0236 Bugtraq ID: 9884