LogiSense multiple application login form SQL injection
| logisense-sql-injection (9268) |  Medium Risk |
Description:
The LogiSense DNS Manager System, Hawk-i Billing, and Hawk-i ASP are vulnerable to SQL injection in the ASP-based login forms. A remote attacker could insert malicious characters in the password field to modify SQL queries and gain unauthorized access to the program.
Consequences:
Gain Access
Remedy:
Install the latest version of the software, or apply the the latest SQL injection patch. Hawk-i 4.x and Hawk-i 5.x users may download the SQL injection patch from the Hawk-i ISP Billing support page. See References.
References:
- BugTraq Mailing List, Tue Jun 04 2002 - 09:59:57 CDT: sql injection in Logisense software.
- LogiSense Corporation Web site: SQL Injection in LogiSense Software Solved.
- LogiSense Corporation Web site: Support - Hawk-i ISP Billing Software.
- BID-4931: LogiSense Hawk-i Login SQL Injection Vulnerability
- CVE-2002-0878: SQL injection vulnerability in the login form for LogiSense software including (1) Hawk-i Billing, (2) Hawk-i ASP and (3) DNS Manager allows remote attackers to bypass authentication via SQL code in the password field.
Platforms Affected:
- LogiSense LogiSense DNS Manager System
- LogiSense LogiSense Hawk-i ASP
- LogiSense LogiSense Hawk-i Billing
Reported:
Jun 04, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net