LogiSense Hawk-i Login SQL Injection Vulnerability

LogiSense produces a range of web based billing and administration products. A vulnerability has been reported in the ASP based login process used by several of these products, including Hawk-i, Hawk-i ASP and DNS Manager System.

Reportedly, user input supplied as the login password is not adequately filtered. A malicious user may include special characters such as "'" in the supplied password and modify the SQL query used to validate the user. Access to arbitrary known accounts is possible.

This issue has been reported in current versions of LogiSense products. However, earlier versions may share this vulnerability.


 

Privacy Statement
Copyright 2010, SecurityFocus