DuWare DuDownload type.asp, detanil.asp, and detail.asp SQL injection
| dudownload-type-sql-injection (30669) |  Medium Risk |
Description:
DuWare DuDownload is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the type.asp, detanil.asp, or detail.asp scripts using the iType, iFile, or action parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
Platforms Affected:
- DUware, DUdownload
Remedy:
No remedy available as of November 29, 2008.
Consequences:
Data Manipulation
References:
- BugTraq Mailing List, Fri Dec 01 2006 - 18:40:03 CST , [Aria-Security Team] DuWare DuDownloads SQL Injection Vuln at http://archives.neohapsis.com/archives/bugtraq/2006-12/0032.html.
- DuDownload Web site, DUware - Web-based Software Development at http://www.duware.com/products/detail.asp?iPro=30&iCat=4&nCat=Directory%20&%20Search.
- BID-21405: Multiple DuWare Products Detail.ASP Multiple SQL Injection Vulnerabilities
- CVE-2006-6367: Multiple SQL injection vulnerabilities in detail.asp in DUware DUdownload 1.1, and possibly earlier, allow remote attackers to execute arbitrary SQL commands via the (1) iFile or (2) action parameter. NOTE: the iType parameter is already covered by CVE-2005-3976.
- SA23224: DUware DUdownload "iFile" SQL Injection Vulnerability
- VUPEN/ADV-2006-4845: DUware DUdownload iFile Parameter Handling Remote SQL Injection Vulnerability
Reported:
Dec 01, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net