SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   livingmailing Vendors:   livingcolor.it
livingmailing Input Validation Hole Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1014087
SecurityTracker URL:  http://securitytracker.com/id/1014087
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 1 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.3
Description:   Romty (Morteza Panahi) reported a vulnerability in livingmailing. A remote user can inject SQL commands.

The 'login.asp' script does not properly validate user-supplied input in the 'password' parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database. This can be exploited to gain administrative access to the application.

A demonstration exploit value is provided:

Username =admin
Password= ' or ''='

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.livingcolor.it/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  livingmailing Login.asp SQL injection


               
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Security
Advisory~~~~~~~~~~~~~~~~~~~~~~~~~~
               
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--------------------------------------------------------------------------------------------
             #################################################################
             #################################################################
             ############  Discovered by Romty (Morteza Panahai)  ############
             ############  Web Site>>>http://www.under9round.com 
############
             ############         Digital Security Team           ############
             #################################################################
             #################################################################
--------------------------------------------------------------------------------------------

                          ADVISORY INFORMATION   
--------------------------------------------------------------------------------------------
Software Package     :livingmailing
Vendor Homepage      :http://livingcolor.it 
Platforms            :Windows Base Server
Vulnerability        :Sqlinjection
Risk                 :High!
Vulnerable Versions  :livingmailing vers. 1.3
--------------------------------------------------------------------------------------------
                          SUMMARY
--------------------------------------------------------------------------------------------
livingmailing is a Admin Control Panel Management System  


--------------------------------------------------------------------------------------------
                          EXPLOIT
--------------------------------------------------------------------------------------------
Uername =admin
Password= ' or ''='
This Is The Login File>>>                         /login.asp
By Using This User And Password You Will Be Taken to Admin Control Panel 
--------------------------------------------------------------------------------------------
                          HOME PAGE
--------------------------------------------------------------------------------------------

Http://www.under9round.com

--------------------------------------------------------------------------------------------
                          SOLUTION 
--------------------------------------------------------------------------------------------

Contact Me At: udnst@yahoo.com

--------------------------------------------------------------------------------------------
                          GREETINGS
--------------------------------------------------------------------------------------------

Specilas Greetz To My Best Friend  Last-Samurai And All Under9round
Digital Security Members


--------------------------------------------------------------------------------------------
                          CEREDITS
--------------------------------------------------------------------------------------------

Discovered By Romty (Morteza Panahi)

--------------------------------------------------------------------------------------------
                          REFERENCES                 
--------------------------------------------------------------------------------------------

http://www.under9round.com/lmg.txt

         ++++++++++++++++++++< UNDER9ROUND DIGITAL SECURITY TEAM

>>++++++++++++++++++++++



-- sh4wsh4nk Redemption 
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC