AlstraSoft Web Host Directory "pwd" SQL Injection Vulnerability
Report ID:
SA32660
Source:
Secunia
Date of Discovery:
13.11.2008
Criticality:
Moderate
Affects:
AlstraSoft Web Host Directory 1.x
Compromise From:
From remote
Compromise Type:
Manipulation of data
Exposure of sensitive information
Summary
A vulnerability has reported in AlstraSoft Web Host Directory, which can be exploited by malicious people to conduct SQL injection attacks.
Detailed Description
A vulnerability has reported in AlstraSoft Web Host Directory, which can be exploited by malicious people to conduct SQL injection attacks.
Input passed via the "pwd" parameter to the receiving script in the "login" directory is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Solution
Edit the source code to ensure that input is properly sanitised.