[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] ZH2004-14SA (security advisory):Sql Injection in Infinity WEB

To: "D'Amato Luigi" <admin@xxxxxxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] ZH2004-14SA (security advisory):Sql Injection in Infinity WEB
From: "D'Amato Luigi" <admin@xxxxxxxxxxxxxxxxxxxxx>
Date: Sun, 27 Jun 2004 11:42:25 +0100

06/27/2004
 
Vendor contacted: June 1st 2004
Published: June 26th 2004 
Title: Infinity WEB 
Vulnerable versions :1.0 unpatched 

Type: Sql Injection 

Author: D'Amato Luigi from Zone-h Security Labs - securitywireless@xxxxxxxxx - 
admin@xxxxxxxxxxxxxxxxxxxxx 

Vendor: http://www.websoft.it/ 


Description 

**********
Zone-H Security Team has discovered a security flaw in Infinity WEB . This 
vulnerability could allow malicious attackers to bypass the authentication 
mechanish without having an account. 

Details 

******************************************** 

Due to an improper login validation in the login page it is possible to bypass 
the authentication mechanism 

Solution 

********** 

The vendor has been contacted and has released a patch 


--- 

D'Amato Luigi from Zone-h Security Labs - 
securitywireless@xxxxxxxxx - 
admin@xxxxxxxxxxxxxxxxxxxxx
Admin Security Wireless
http://www.securitywireless.info


 
http://www.zone-h.org/en/advisories/read/id=4892/

Prev by Date: Re: [Full-Disclosure] IE exploit runs code from graphics?
Next by Date: [Full-Disclosure] Lotus Notes URL argument injection vulnerability
Previous by thread: Re: [Full-Disclosure] Wanted: Sasser executable and derivatives
Next by thread: [Full-Disclosure] Lotus Notes URL argument injection vulnerability
Index(es):
- Date
- Thread