Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Sigma ISP Manager Vendors:   Atinegar
Sigma ISP Manager Input Validation Flaw in 'sigmaweb.dll' Permits SQL Injection
SecurityTracker Alert ID:  1013979
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 17 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 6.6
Description:   Last Samurai reported a vulnerability in Sigma ISP Manager. A remote user can inject SQL commands.

The '/scripts/sigmaweb.dll' file does not properly validate user-supplied input in the username, password, and domain fields. A remote user can supply specially crafted 'email' parameter value to execute SQL commands on the underlying database.

A demonstration exploit value is provided:

: /' /'.' por //":>>?>>??>+_+_)()((**&^%^%%$#!?><>><><?/?""""''':L:L"">:"

The original advisory is available at:

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (2000), Windows (2003)

Message History:   None.

 Source Message Contents

Subject:  sigma isp manager 6.6

<<<<Security Advisory>>>>

Advisory Information
Software Package   : Sigma ISP Manager 6.6 (prior versions are also vulnerable)
Vendor Homepage  :
Platforms               : Windows (Any)
Vulnerability           : Injection
Risk                       : critical!
Vulnerable Versions: All version

Sigma ISP Manager is a powerfull accounting service for ISPs.
It also has a Web interface.It can work with Cisco Routers/Access
servers, Portmasters, Multiport etc.It has a flexible permission
based authorization for admins, each admin is permitted to do a job
only if he has been given related permissions.Its Groups are charging
rules that define how much credit will be consumed by logged on users
based on Time of day.

lthere are some vulns in Sigma ISP Manager 6.6  & prior
versions which can be exploited
by malicious people to conduct
injection attacks.

Input passed to the "User Name,Password & Domain" field in
"/scripts/sigmaweb.dll" isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting codes

this is the login file


username: a very long sting of codes nad data like

: /' /'.' por //":>>?>>??>+_+_)()((**&^%^%%$#!?><>><><?/?""""''':L:L"">:":.

password: the same as username
Domain: the same as username

by using these sql attacks you can find the tables of the database
and disclose the critical information.when you insert these codes
the face of the page will be changed
so when inserting it gives you some errors!

Home page

contact me at

thanks to udnst and all under9round digital security members

Discovered by last samurai



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC