COMMAND

	AdMentor allows any user to login as admin.

SYSTEMS AFFECTED

	AdMentor v2.11 and earlier

PROBLEM

	Thran found following :
	

	AdMentor [http://www.aspcode.net] allows any user to login as admin.
	

	The base path of the login is usually :
	

	http://www.someserver.com/admentor/admin/admin.asp

	

	

	By using Login : \' or \'\'=\' , and Password : \' or \'\'=\' We  create
	a legal query because it will get appended as  :SELECT  row  FROM  table
	WHERE login = \'\' or \'\'=\'\'
	

	Same goes for the password. This allows us to login without any  trouble
	as the main admin. Vendor has been  warned  of  the  bug,  but  has  not
	released a patch yet. Temporary solution, filter out the  bad  chars  \'
	\" ~ \\ / by using the following piece of javascript :
	

	

	function RemoveBad(strTemp) { 

	    strTemp = strTemp.replace(/\\<|\\>|\\\"|\\\'|\\%|\\;|\\(|\\)|\\&|\\+|\\-/g,\"\"); 

	    return strTemp; }

	

	

	And calling it from within the asp script :
	

	

	var login = var TempStr = RemoveBad

	(Request.QueryString(\"login\"));

	

	var password = var TempStr = RemoveBad

	(Request.QueryString(\"password\"));

	

	

	Iam not sure about the correct vars set in the form, you might  want  to
	tweak it just a bit. Havent drunk my coffee yet :)

SOLUTION