ISP Site Man Admin_Login.ASP SQL Injection Vulnerability

Bugtraq ID:	17347
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 01 2006 12:00AM
Updated:	Apr 03 2006 09:23PM
Credit:	s3rv3r_hack3r is credited with the discovery of this vulnerability.
Vulnerable:	ISP Site Man 0
Not Vulnerable:

ISP Site Man Admin_Login.ASP SQL Injection Vulnerability

Site Man is prone to an SQL-injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

All versions of Site Man are considered to be vulnerable.

ISP Site Man Admin_Login.ASP SQL Injection Vulnerability

This issue can be exploited through a web client.

An example has been provided:

user : admin
pass : ' or '

ISP Site Man Admin_Login.ASP SQL Injection Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]:[email protected]

ISP Site Man Admin_Login.ASP SQL Injection Vulnerability

References:

• Site Man Project Page (ISP of Egypt)
  
• SiteMan <= All version SQL injection in admin_login.asp ([email protected])