XtremeASP PhotoGallery Adminlogin.ASP SQL Injection Vulnerability
BID:9438
Info
XtremeASP PhotoGallery Adminlogin.ASP SQL Injection Vulnerability
| Bugtraq ID: | 9438 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 16 2004 12:00AM |
| Updated: | Jan 16 2004 12:00AM |
| Credit: | Discovery of this vulnerability has been credited to <[email protected]>. |
| Vulnerable: |
Pensacola Web Designs XtremeASP PhotoGallery 2.0 |
| Not Vulnerable: | |
Discussion
XtremeASP PhotoGallery Adminlogin.ASP SQL Injection Vulnerability
XtremeASP PhotoGallery is prone to an SQL injection vulnerability. The issue is reported to exist in the administration login interface, which does not sufficiently sanitize user-supplied input for username and password values before including it in SQL queries. This could permit remote attackers to pass malicious input to database queries.
XtremeASP PhotoGallery is prone to an SQL injection vulnerability. The issue is reported to exist in the administration login interface, which does not sufficiently sanitize user-supplied input for username and password values before including it in SQL queries. This could permit remote attackers to pass malicious input to database queries.
Exploit / POC
XtremeASP PhotoGallery Adminlogin.ASP SQL Injection Vulnerability
The following proof of concept has been supplied:
http://www.example.com/photoalbum/admin/adminlogin.asp
If we type:
Username: 'or'
Password: 'or'
We gain admin access about the password protected
administrative pages.
The following proof of concept has been supplied:
http://www.example.com/photoalbum/admin/adminlogin.asp
If we type:
Username: 'or'
Password: 'or'
We gain admin access about the password protected
administrative pages.
Solution / Fix
XtremeASP PhotoGallery Adminlogin.ASP SQL Injection Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
XtremeASP PhotoGallery Adminlogin.ASP SQL Injection Vulnerability
References:
References:
- XtremeASP PhotoGallery Homepage (Pensacola Web Design)
- Xtreme ASP Photo Gallery (
)