Outfront Spooky 2.x - Login SQL Query Manipulation Password

EDB-ID:

21434


Platform:

ASP

Published:

2002-05-02

source: http://www.securityfocus.com/bid/4661/info

Spooky Login is a commerical web access control and account management software package. It is distributed and maintained by Outfront, and is designed for Microsoft IIS Webservers.

Under some circumstances, it may be possible for a remote user to gain unauthorized access to pages protected by Spooky Login. The problem is a SQL query manipulation vulnerability in the authentication component.

It is possible for remote attackers to corrupt the logic of queries such that a successful login will occur regardless of the supplied password. 

User: admin (this selects the first index from the table)
Password: ' OR ''='