cApexWEB 'dfuserid' and 'dfpassword' Parameters Multiple SQL Injection Vulnerabilities

Bugtraq ID:	51180
Class:	Input Validation Error
CVE:	CVE-2011-5031
Remote:	Yes
Local:	No
Published:	Dec 23 2011 12:00AM
Updated:	Jan 03 2012 09:50PM
Credit:	D1rt3 Dud3
Vulnerable:	Shilpi cApexWEB 0
Not Vulnerable:

cApexWEB 'dfuserid' and 'dfpassword' Parameters Multiple SQL Injection Vulnerabilities

cApexWEB is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database; other consequences, such as authentication bypass, are possible as well.

cApexWEB 'dfuserid' and 'dfpassword' Parameters Multiple SQL Injection Vulnerabilities

Attackers can use a browser to exploit these issues.

cApexWEB 'dfuserid' and 'dfpassword' Parameters Multiple SQL Injection Vulnerabilities

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

cApexWEB 'dfuserid' and 'dfpassword' Parameters Multiple SQL Injection Vulnerabilities

References:

• cApexWEB Download Page (Shilpi Computers Limited)