by r0t,der4444,cembo,VietMafia

Thursday, December 22, 2005

WebDB SQL inj vuln.

WebDB SQL inj vuln.

Vuln. discovered by : r0t
Date: 22 dec. 2005
vendor:http://www.loissoftware.com
affected version:1.1 and prior

Product Description:
WebDB is the totally generic, instant online database system - It is possible to create a dynamic web site with no programming knowledge. The software comes with an administration system that allows you to create fields, records, etc. and then decide which fields will appear on the search, results and details pages. You also have total control of the look and feel of the database pages.


Vuln. Description:

WebDB contains a flaw that allows a remote sql injection attacks.Input passed to the search parameter in search module isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

Solution:
Edit the source code to ensure that input is properly sanitised.

1 Comments:

Anonymous Lois Software told...

WebDB is a generic online database system used by many of the clients of Lois Software. The flaw that was identified was some code that was added for a client to do some testing of his system and only certain safe commands were allowed. This code has now been removed and it is not now possible to use SQL queries as part of the query string.

9:15 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew