Info

Disclosure

May 24, 2005

Discovery

Unknown

Dates

Exploit

May 24, 2005

Solution

Unknown

Description

NewsletterEz contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. This flaw exists because the application does not validate user-supplied input in the 'Password' field upon submission to the 'login.asp' script and may allow a remote attacker to inject or manipulate SQL queries.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Public
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Distinct Web Creations, Inc.

NewsletterEz

3.0

References

Security Tracker: 1014038
Bugtraq ID: 13730
Secunia Advisory ID: 15469
CVE ID: 2005-1750 (see also: NVD)
Vendor URL: http://www.ezdwc.com/
Other Advisory URL: http://www.under9round.com/nez.txt

Credit

Romty -

Direct URL: http://osvdb.org/16808