SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   JiRo's Upload System Vendors:   jiros.net
JiRo's Upload System Input Validation Hole in Admin Panel Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1014086
SecurityTracker URL:  http://securitytracker.com/id/1014086
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 1 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 1
Description:   Romty (Morteza Panahi) reported a vulnerability in JiRo's Upload System. A remote user can inject SQL commands.

The 'login.asp' script does not properly validate user-supplied input in the 'password' parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database. This can be exploited to gain administrative access to the application.

A demonstration exploit value is provided:

Username =admin
Password= ' or ''='

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.jiros.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  jus login.asp SQL injection


               
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Security
Advisory~~~~~~~~~~~~~~~~~~~~~~~~~~
               
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--------------------------------------------------------------------------------------------
             #################################################################
             #################################################################
             ############  Discovered by Romty (Morteza Panahai)  ############
             ############  Web Site>>>http://www.under9round.com 
############
             ############         Digital Security Team           ############
             #################################################################
             #################################################################
--------------------------------------------------------------------------------------------

                          ADVISORY INFORMATION   
--------------------------------------------------------------------------------------------
Software Package     :JUS
Vendor Homepage      :http://www.jiros.net/
Platforms            :Windows Base Server
Vulnerability        :Sqlinjection
Risk                 :High!
Vulnerable Versions  :JUS v 1
--------------------------------------------------------------------------------------------
                          SUMMARY
--------------------------------------------------------------------------------------------
JUS  is a Admin Control Panel Management System  By using that you can
Add /Edit/Del
 Files & USer And...................


--------------------------------------------------------------------------------------------
                          EXPLOIT
--------------------------------------------------------------------------------------------
Uername =admin
Password= ' or ''='
This Is The Login File>>>                         /login.asp
By Using This User And Password You Will Be Taken to Admin Control Panel 
--------------------------------------------------------------------------------------------
                          HOME PAGE
--------------------------------------------------------------------------------------------

Http://www.under9round.com

--------------------------------------------------------------------------------------------
                          SOLUTION 
--------------------------------------------------------------------------------------------

Contact Me At: udnst@yahoo.com

--------------------------------------------------------------------------------------------
                          GREETINGS
--------------------------------------------------------------------------------------------

Specilas Greetz To My Best Friend  Last-Samurai And All Under9round
Digital Security Members


--------------------------------------------------------------------------------------------
                          CEREDITS
--------------------------------------------------------------------------------------------

Discovered By Romty (Morteza Panahi)

--------------------------------------------------------------------------------------------
                          REFERENCES                 
--------------------------------------------------------------------------------------------

http://www.under9round.com/jus.txt

         ++++++++++++++++++++< UNDER9ROUND DIGITAL SECURITY TEAM

>>++++++++++++++++++++++


-- sh4wsh4nk Redemption 
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC