TUCoPS :: Web :: Apps :: b06-2737.htm

myNewsletter 1.1.2 SQL_Injection
- myNewsletter 1.1.2 SQL_Injection
- myNewsletter 1.1.2 SQL_Injection


[KAPDA::#47] - myNewsletter 1.1.2 SQL_Injection=0D
=0D
SQL_Injection=0D
=0D
-------=0D
=0D
KAPDA New advisory=0D
=0D
Vulnerable products : myNewsletter <= 1.1.2=0D
Vendor: http://www.aspburst.com/index.asp=0D 
Risk: Medium=0D
Vulnerability: SQL_Injection=0D
=0D
Date :=0D
--------------------=0D
Found : 2006/06/05=0D
Vendor Contacted : 2006/06/06=0D
Release Date : 2006/06/06=0D
=0D
Discussion :=0D
----------------=0D
At parameter named 'UserName' in "validatelogin.asp" or "adminlogin.asp", Attacker can enter SQL command to login to the system.=0D
=0D
Proof of Concepts:=0D
--------------------=0D

KAPDA myNewsletter 1.1.2 Login bypass PoC

change action in source and then submit=0D

=0D">action="http://www.site.com/newsletter/adminLogin.asp">=0D 
=0D
=0D




=0D
=0D

www.kapda.ir
=0D">href="http://www.kapda.ir">www.kapda.ir=0D 

=0D
=0D
=0D
Solution:=0D
--------------------=0D
Nothing yet by vendor .=0D
=0D
Our solution :=0D
=0D
in 'validatelogin.asp' :=0D
=0D
function validateLogin(theUserName, thePassword)=0D
sqlString = "Select Password from Newsletter_Admin Where UserName = '" &theUserName& "'"=0D
=0D
change to this :=0D
=0D
function validateLogin(theUserName, thePassword)=0D
theUserName = replace(theUserName,"'","''")=0D
sqlString = "Select Password from Newsletter_Admin Where UserName = '" &theUserName& "'"=0D
=0D
Original Advisory:=0D
--------------------=0D
http://www.kapda.ir/advisory-340.html=0D 
=0D
Credit :=0D
--------------------=0D
FarhadKey of KAPDA=0D
farhadkey [at} kapda {d0t} net=0D
Kapda - Security Science Researchers Insitute of Iran=0D
http://www.KAPDA.ir

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH