Active Auction House Default.ASP Multiple SQL Injection Vulnerabilities
BID:13032
Info
Active Auction House Default.ASP Multiple SQL Injection Vulnerabilities
| Bugtraq ID: | 13032 |
| Class: | Input Validation Error |
| CVE: |
CVE-2005-1029 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 06 2005 12:00AM |
| Updated: | Jul 12 2009 11:57AM |
| Credit: | Discovery of this vulnerability is credited to dcrab <[email protected]>. |
| Vulnerable: |
Active Web Softwares Active Auction House |
| Not Vulnerable: | |
Discussion
Active Auction House Default.ASP Multiple SQL Injection Vulnerabilities
Active Auction House is reportedly affected by multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
Active Auction House is reportedly affected by multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
Exploit / POC
Active Auction House Default.ASP Multiple SQL Injection Vulnerabilities
No exploit is required.
The following proof of concept URI's are available:
http://www.example.com/activeauctionsuperstore/default.asp?Sortby=ItemName&SortDir='SQL_INJECTION
http://www.example.com/activeauctionsuperstore/default.asp?Sortby='SQL_INJECTION
No exploit is required.
The following proof of concept URI's are available:
http://www.example.com/activeauctionsuperstore/default.asp?Sortby=ItemName&SortDir='SQL_INJECTION
http://www.example.com/activeauctionsuperstore/default.asp?Sortby='SQL_INJECTION
Solution / Fix
Active Auction House Default.ASP Multiple SQL Injection Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Active Auction House Default.ASP Multiple SQL Injection Vulnerabilities
References:
References:
- Active Auction House Homepage (Active Web Softwares)
- Active Auction House has multiple Sql injection, error and XSS vulnerabilities (dcrab