XtremeASP PhotoGallery 2.0 - 'Adminlogin.asp' SQL Injection

EDB-ID:

23547


Author:

posidron

Type:

webapps


Platform:

ASP

Date:

2004-01-16


source: https://www.securityfocus.com/bid/9438/info

XtremeASP PhotoGallery is prone to an SQL injection vulnerability. The issue is reported to exist in the administration login interface, which does not sufficiently sanitize user-supplied input for username and password values before including it in SQL queries. This could permit remote attackers to pass malicious input to database queries.

http://www.example.com/photoalbum/admin/adminlogin.asp

If we type:

Username: 'or'
Password: 'or'

We gain admin access about the password protected
administrative pages.