SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   bttlxeForum Vendors:   Battleaxe Software
(Vendor Issues Fix) Re: bttlxeForum Input Validation Flaw in Login Process Lets Remote Users Gain Access Without Authenticating
SecurityTracker Alert ID:  1006636
SecurityTracker URL:  http://securitytracker.com/id/1006636
CVE Reference:   CVE-2003-0215   (Links to External Site)
Date:  Apr 23 2003
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   SAUDI_DEFACERZ reported an input validation vulnerability in the 'bttlxeForum' forum software. A remote user can inject certain SQL command characters to login to the system without authenticating.

It is reported that the software does not filter or validate user-supplied input to remove SQL command characters from the username and password fields [and possibly other fields]. A remote user can reportedly supply the following password with no user name when logging in to become authenticated by the system:

'or''='

Impact:   A remote user can gain access to the application without authenticating.
Solution:   The vendor has issued a fix:

http://www.battleaxesoftware.com/forums/forum.asp?forumid=36&select=1812

The vendor responded rapidly to provide a fix:

23 April 2003, 14:43 UTC/GMT - Vendor notified
23 April 2003, 14:56 UTC/GMT - Vendor responded
23 April 2003, 16:03 UTC/GMT - Vendor posted fix
23 April 2003, 16:11 UTC/GMT - Vendor responded to indicate that a fix was available.

Vendor URL:  www.battleaxesoftware.com/forums/forum.asp?forumid=36&select=1812 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Apr 23 2003 bttlxeForum Input Validation Flaw in Login Process Lets Remote Users Gain Access Without Authenticating



 Source Message Contents

Subject:  RE: vulnerability in your software (bttlxeForum)


A fix has been made, tested by some of the beta testers, and released to
the public at this address:

http://www.battleaxesoftware.com/forums/forum.asp?forumid=36&select=1812




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC