Full Disclosure mailing list archives
DDIVRT-2009-25 IPsession SQL Injection Vulnerability
From: "DDI_Vulnerability_Alert" <DDI.VulnerabilityAlert () ddifrontline com>
Date: Thu, 21 May 2009 10:16:32 -0500
Title ----- DDIVRT-2009-25 IPsession SQL Injection Vulnerability Severity -------- Medium Date Discovered --------------- March 31, 2009 Discovered By ------------- Digital Defense, Inc. Vulnerability Research Team Credit: David Marshall and r@b13$ Vulnerability Description ------------------------- IPsession runs a web interface on port 8090 that requires valid login credentials. This interface uses user supplied input to form a database query and is vulnerable to SQL injection. This may be used to bypass authentication. Solution Description -------------------- Limit access to the login page to internal networks and trusted users only. Tested Systems / Software (with versions) ------------------------------------------ Unknown version on Windows 2003 Vendor Contact -------------- Name: IPcelerate Website: http://www.ipcelerate.com/ipsession.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- DDIVRT-2009-25 IPsession SQL Injection Vulnerability DDI_Vulnerability_Alert (May 22)