Vulners
Lucene search
Echo Security Advisory 2005.19
`---------------------------------------------------------------------------
[ECHO_ADV_19$2005] Multiple SQL INJECTION in DUWARE Products
---------------------------------------------------------------------------
Author: Dedi Dwianto
Date: June, 22th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv19-theday-2005.txt
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : - DUportal PRO ver 3.4.3
- DUamazon Pro ver 3.0 and ver 3.1
- DUpaypal Pro Ver 3.0
- DUforum Ver 3.1
- DUclassmate Ver 1.2
URL : http://www.duresources.com
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. DUportal Pro
* http://victim/DUportalPro34/Articles/default.asp?iChannel=2[SQL Inject]&nChannel=Articles
* http://victim/DUportalPro34/Articles/detail.asp?iData=4[SQL Inject]&iCat=292&iChannel=2&nChannel=Articles
* http://victim/DUportalPro34/home/members.asp?iMem=[SQL Inject]
* http://victim/DUportalPro34/topics/cat.asp?iCat=4[SQL Inject]&iChannel=16&nChannel=Topics
* http://victim/DUportalPro34/Polls/default.asp?iChannel=15[SQL Inject]&nChannel=Polls
* http://victim/DUportalPro34/home/members.asp?iMem=[SQL Inject]
* http://victim/DUportalPro34/admin/members_listing_approval.asp?offset=[SQL Inject]
* http://victim/DUportalPro34/admin/channels_edit.asp?iChannel=7[SQL inject]&nChannel=[Name Module]
B. DUamazon Pro
* http://victim/DUamazonPro/shops/cat.asp?iCat=19[SQL Inject]
* http://victim/DUamazonPro/shops/sub.asp?iSub=18[SQL Inject]
* http://victim/DUamazonPro/shops/detail.asp?iPro=34&iSub=17[SQL Inject]
* http://victim/DUamazonPro/shops/review.asp?iSub=17&iPro=36[SQL Inject]
* http://victim/DUamazonPro/admin/catEdit.asp?iCat=12[SQL Inject]
* http://victim/DUamazonPro/admin/catDelete.asp?iCat=13[SQL Inject]
* http://victim/DUamazonPro/admin/productEdit.asp?iPro=34&iCat=12[SQL Inject]
* http://victim/DUamazonPro/admin/productDelete.asp?iPro=37&iCat=12[SQL Inject]
* http://victim/DUamazon/type.asp?iType=1[SQL inject]
C. DUpaypal Pro
* http://victim/DUpaypalPro/shops/cat.asp?iCat=[SQL Inject]
* http://victim/DUpaypalPro/shops/detail.asp?iPro=40[SQL Inject]&iSub=
* http://victim/DUpaypalPro/shops/sub.asp?iSub=[SQL Inject]
* http://victim/DUpaypalPro/admin/catEdit.asp?iCat=[SQL inject]
D. DUforum
* http://victim/DUforum/messages.asp?iMsg=[SQL Inject]248&iFor=6
* http://victim/DUforum/post.asp?iFor=6[SQL Inject]
* http://victim/DUforum/forums.asp?iFor=[SQL Inject]
* http://victim/DUforum/admin/userEdit.asp?id=[SQL Inject]
E. DUclassmate
* http://victim/DUclassmate/default.asp?iState=[SQL Inject]&nState=Florida
* http://victim/DUclassmate/admin/edit.asp?iPro=[SQL Inject]
F. Fix
Vendor allready contacted at 20 June 2005 but no response till now
---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ Lieur Euy , MSR
~ [email protected] ,
~ #e-c-h-o@DALNET
---------------------------------------------------------------------------
Contact:
~~~~~~~~
the_day || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Jun 2005 00:00Current
0.4Low risk
Vulners AI Score0.4