Re: a new sql injection for aspjar guestbook

To: arash_pc0@xxxxxxxxx
Subject: Re: a new sql injection for aspjar guestbook
From: security curmudgeon <jericho@xxxxxxxxxxxxx>
Date: Tue, 12 Jul 2005 04:12:15 -0400 (EDT)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20050704204833.16955.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20050704204833.16955.qmail@xxxxxxxxxxxxxxxxx>

: hello , my name is: (arash setayeshi) & my yahoo id is : arash_pc0
:  I found a new vulnerability in aspjar guestbook that we can control 
: website & go to admin control panel by (sql injection).
:  sql injection : in login page(guestbook/admin/login.asp) , username 
: should be blank & password is : ' or 'x'='x . by this work we will be in 
: admin control panel so :

This was disclosed to Bugtraq on 2005-02-10 by farhad koosha 
(farhadkey@xxxxxxxxx).

http://archives.neohapsis.com/archives/bugtraq/2005-02/0097.html

References:
- a new sql injection for aspjar guestbook
  - From: arash_pc0

Prev by Date: SoftiaCom MailServer - Local Password Disclosure Vulnerability
Next by Date: Advisory 10/2005: Yawp/YaWiki Remote URL Include Vulnerability
Previous by thread: a new sql injection for aspjar guestbook
Next by thread: JBoss jBPM 2.0: Remote code execution and classloader covert channel
Index(es):
- Date
- Thread