Info

Disclosure

Dec 14, 2004

Discovery

Unknown

Dates

Exploit

Dec 14, 2004

Solution

Unknown

Description

ASP-Rider contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'username' parameter in the 'verify.asp' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, ASP-Rider.com has released a patch to address this vulnerability.

Products

ASP-Rider.com

ASP-Rider

Unknown or Unspecified

References

Bugtraq ID: 11933
ISS X-Force ID: 18479
Secunia Advisory ID: 13470
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-12/0151.html
CVE ID: 2004-1401 (see also: NVD)
Security Tracker: 1010549
Vendor URL: http://weblog.asp-rider.com/

Credit

Shervin Khaleghjou - oil_karchackyahoo.com -

Direct URL: http://osvdb.org/36218