Password Protect

vendor:

Password Protect

by:

ByALBAYX

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Password Protect

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

A SQL injection vulnerability exists in the Password Protect script, which allows an attacker to gain access to the admin panel without authentication. The vulnerability is due to the improper sanitization of user-supplied input to the 'username' and 'password' parameters when logging in to the admin panel. An attacker can exploit this vulnerability by supplying a malicious SQL query as the value of the 'username' and 'password' parameters.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to upgrade to the latest version.

Source

Exploit-DB raw data:

#############################################
#----C4TEAM.ORG---ByALBAYX----C4TEAM.ORG----#
#############################################
[~]Author   : ByALBAYX

[~]Website  : WWW.C4TEAM.ORG
#############################################
[~]Script   :Password Protect

[~]Site     :http://wholehogsoftware.com

[~]Price    :$20.00

[~]Detay    :http://www.wholehogsoftware.com/index.php/page/password_protect_enhanced
#############################################
[~]....


[~]Admin Path :http://c4team.org / [Password Protect_PATH] /admin/



[~]Username   : ' or '1=1



[~]Password   : ' or '1=1



[~]Demo       :http://www.wholehogsoftware.com/demo/password_protect_enhanced/admin


[~]....   vs..
#############################################
[~]iSiNiZE BAqIN :=)

[~]Greetz For C4TEAM Members

[~]Bir insan Hakkinda Ne Kadar Bilgin Varsa O kadar Yorum Yap...   ;=)
#############################################
Derdimi dinledim, derdimden iGRENDiM...
Onun derdini gordum, derdime iMRENDiM...
FilistiN
----------

# milw0rm.com [2009-02-02]