DUportal Pro Multiple SQL Injection Vulnerabilities

Bugtraq ID:	13285
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 20 2005 12:00AM
Updated:	Dec 04 2006 05:39PM
Credit:	Discovery of these vulnerabilities is credited to dcrab <[email protected]>.
Vulnerable:	DUWare DUportal Pro 3.4 DCP-Portal DCP-Portal 6.1.1
Not Vulnerable:

DUportal Pro Multiple SQL Injection Vulnerabilities

DUportal Pro is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

These vulnerabilities are reported to affect DUportal Pro 3.4; earlier versions may also be affected.

DUportal Pro Multiple SQL Injection Vulnerabilities

No exploit is required.

The following proofs of concept are available:

• /data/vulnerabilities/exploits/13285.html

DUportal Pro Multiple SQL Injection Vulnerabilities

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]:[email protected].

DUportal Pro Multiple SQL Injection Vulnerabilities

References:

• DCP-Portal Homepage (DCP-Portal)
  
• DUware Homepage (DUware)
  
• SQL injection bugs in DCP-Portal (hackgen )
  
• [Aria-Security Team] DuWare DuPortal SQL Injection Vuln (Aria-Security)
  
• DUportal Pro 3.4 has MANY Sql injection and Sql Errors. (dcrab )