Software: Password protect
Languaje: ASP Plataforms: Win nt, 2000, xp Web: http://www.webanimations.com.au/
The ultimate protection including unlimited user names and passwords each checking their individual ip address. You can add 1 ip address or include a range for the users with various IP address's when they log in.
### SQL Injection ### A remote user can use an sql-injection attack to login as admin or manipulate the database. index_next.asp, ChangePassword.asp, users_edit.asp, users_add.asp are affected. Example: /adminSection/index_next.asp? admin = (SQLInjection) Pass = (SQLInjection) /adminSection/ChangePassword.asp? LoginId=(SQLInjection) OPass=(SQLInjection) NPass=(SQLInjection) CPass=(SQLInjection) ### Cross-site Scripting ### This software do not filter HTML code from user-supplied input in some scripts. Example: /adminSection/index.asp?ShowMsg=(XSS) /adminSection/ChangePassword.asp?ShowMsg=(XSS) /adminSection/users_list.asp?ShowMsg=(XSS) /adminSection/users_add.asp?ShowMsg=(XSS)
Vendor contacted: Fri, 06 Aug 2004, no response.
Criolabs staff http://www.criolabs.net
Original advisory and proof of concept in http://www.criolabs.net/advisories/passprotect.txt