SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   ZonGG Vendors:   zon.cn
ZonGG Input Validation Hole in 'ad/login.asp' Permits SQL Injection
SecurityTracker Alert ID:  1014063
SecurityTracker URL:  http://securitytracker.com/id/1014063
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 27 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.2
Description:   Romty (Morteza Panahai) reported a vulnerability in ZonGG. A remote user can inject SQL commands.

The 'ad/login.asp' script does not properly validate user-supplied input in the password parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

A demonstration exploit value is provided:

Password= ' or ''='

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  zon.cn/gg/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  ZonGG V1.2 Password Sqlinjection


         Security Advisory
                

--------------------------------------------------------------------------------------------
             #################################################################
             #################################################################
             ############  Discovered by Romty (Morteza Panahai)  ############
             ############  Web Site>>>http://www.under9round.com 
############
             ############         Digital Security Team           ############
             #################################################################
             #################################################################
--------------------------------------------------------------------------------------------

                          ADVISORY INFORMATION   
--------------------------------------------------------------------------------------------
Software Package     :ZonGG 
Vendor Homepage      :http://zon.cn/gg/
Platforms            :Windows Base Server
Vulnerability        :Sqlinjection
Risk                 :High!
Vulnerable Versions  :ZonGG V1.2
--------------------------------------------------------------------------------------------
                          SUMMARY
--------------------------------------------------------------------------------------------
ZonGG  Is a Web-based Admin Control Panel Management System


--------------------------------------------------------------------------------------------
                          EXPLOIT
--------------------------------------------------------------------------------------------

Password= ' or ''='
This Is The Login File>>>       ad/login.asp
By Using This  password you will be taken to admin control panel and
the Admin management board
--------------------------------------------------------------------------------------------
                          HOME PAGE
--------------------------------------------------------------------------------------------

Http://www.under9round.com

--------------------------------------------------------------------------------------------
                          SOLUTION 
--------------------------------------------------------------------------------------------

Contact Me At: udnst@yahoo.com

--------------------------------------------------------------------------------------------
                          GREETINGS
--------------------------------------------------------------------------------------------

Specilal Greetz To My Beche + Friend  Last-Samurai And All Under9round
Digital Security Members


--------------------------------------------------------------------------------------------
                          CEREDITS
--------------------------------------------------------------------------------------------

Discovered By Romty (Morteza Panahi)

--------------------------------------------------------------------------------------------
                          REFERENCES                 
--------------------------------------------------------------------------------------------

http://www.under9round.com/zongg.txt

 UNDER9ROUND DIGITAL SECURITY TEAM 


-- sh4wsh4nk Redemption 
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC