vAuthenticate Input Validation Flaw in 'check.php' Lets Remote Users Inject SQL Commands
|
|
SecurityTracker Alert ID: 1025996 |
|
SecurityTracker URL: http://securitytracker.com/id/1025996
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 1 2011
|
Impact:
Disclosure of system information, Disclosure of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 3.0.1; possibly earlier versions
|
Description:
A vulnerability was reported in vAuthenticate. A remote user can inject SQL commands.
The software does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.
The 'username' and 'password' parameters of 'check.php' are affected.
Other scripts may also be affected.
The original advisory is available at:
http://www.exploit-db.com/exploits/17752/
|
Impact:
A remote user can execute SQL commands on the underlying database.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.beanbug.net/vScripts.php (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 01 Sep 2011 04:06:10 +0000
Subject: vAuthenticate
|
vAuthenticate 3.0.1 Auth Bypass by Cookie SQL Injection Vulnerability
http://www.exploit-db.com/exploits/17752/
|
|
