Infinity WEB login SQL injection
| infinity-web-sql-injection (16513) |  Medium Risk |
Description:
Infinity WEB is vulnerable to SQL injection, caused by improper validation of user-supplied input in the login page. A remote attacker could use this vulnerability to bypass authentication without having an account on the system.
Consequences:
Bypass Security
Remedy:
Apply the patch for this vulnerability, available from the WebSoft Web site. See References.
References:
- Full-Disclosure Mailing List Sun Jun 27 2004 - 05:42:25 CDT: ZH2004-14SA (security advisory):Sql Injection in Infinity WEB.
- WebSoft Web site: WebSoft s.r.l. -Soluzioni aziendali internet/intranet.
- BID-10614: WebSoft Infinity WEB SQL Injection Vulnerability
- CVE-2004-0625: SQL injection vulnerability in Infinity WEB 1.0 allows remote attackers to bypass authentication and gain privileges via the login page.
Platforms Affected:
- WebSoft Infinity WEB 1.0
Reported:
Jun 26, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net