DDIVRT-2009-25 IPsession SQL Injection Vulnerability

2009-05-21T00:00:00
ID SECURITYVULNS:DOC:21864
Type securityvulns
Reporter Securityvulns
Modified 2009-05-21T00:00:00

Description

Title

DDIVRT-2009-25 IPsession SQL Injection Vulnerability

Severity

Medium

Date Discovered

March 31, 2009

Discovered By

Digital Defense, Inc. Vulnerability Research Team Credit: David Marshall and r@b13$

Vulnerability Description

IPsession runs a web interface on port 8090 that requires valid login credentials. This interface uses user supplied input to form a database query and is vulnerable to SQL injection. This may be used to bypass authentication.

Solution Description

Limit access to the login page to internal networks and trusted users only.

Tested Systems / Software (with versions)

Unknown version on Windows 2003

Vendor Contact

Name: IPcelerate Website: http://www.ipcelerate.com/ipsession.html