ASPSiteware Contact Directory SQL injection Vulnerability

vendor:

Contact Directory

by:

R4dc0re

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Contact Directory

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:aspsiteware:contact_directory:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

ASPSiteware Contact Directory SQL injection Vulnerability

Contact Directory is an application that allows you to set up and share contacts online. It is backed by an Access database and can store thousands of names and contact information in alphabetical categories. The vulnerability is an SQL injection which can be exploited by sending malicious code to the iType parameter in the type.asp page.

Mitigation:

Input validation should be used to prevent malicious code from being sent to the iType parameter.

Source

Exploit-DB raw data:

# Author: R4dc0re
# Exploit Title: ASPSiteware Contact Directory SQL injection Vulnerability
# Date: 04-12-2010
# Vendor or Software Link: www.aspsiteware.com
# Category:WebApp
#Version:1.0
#Price:40$
#Contact: R4dc0re@yahoo.fr
#Website: www.1337db.com
#Greetings to: R0073r(1337db.com), L0rd CrusAd3r,Sid3^effects and to rest of the 1337db members 

Submit Your Exploit at Submit@1337db.com

########################################################################################
[Product Detail]

Contact Directory is an application that allows you to set up and share contacts online.
Great for a club or organization web site or for personal use.
Backend by Access database, Contact Directory can store thousands of names and contact information
in alphabetical categories.
 
[Vulnerability]

SQL Injection:
http://server/Directory/type.asp?iType=[Code]
########################################################################################