BrightSuite Groupware SQL Vulnerable

vendor:

BrightSuite

by:

L0rd CrusAd3r

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: BrightSuite

Affected Version From: 5.4

Affected Version To: 5.4

Patch Exists: NO

Related CWE: N/A

CPE: a:denali_intranet:brightsuite

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

BrightSuite Groupware SQL Vulnerable

BrightSuite is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue allows attackers to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and possibly compromise the underlying system; other attacks are also possible.

Mitigation:

Input validation should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : Inj3ct0r.com                                  0
1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
0                                                                      0
1                    ###########################################       1
0                    I'm L0rd CrusAd3r member from Inj3ct0r Team       1
1                    ###########################################       0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
Exploit Title:BrightSuite Groupware SQL Vulnerable
Code: ASP 3.0 & VBScript
Vendor url:http://www.denaliintranet.com/
Version:5.4
Price:$1299
Published: 2010-06-12
Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue, S1ayer,d3c0d3r,KD and to
all ICW members.
Spl Greetz to:inj3ct0r.com Team

#####################################################################################################################################################################################################

Description:

BrightSuite is a web-based Groupware, Intranet, and Team Collaboration
application. 25 customizable applications like document management,
calendars, forums, instant messaging and email. Live Demo and Trial

#######################################################################################################################################################################################################

Vulnerability:

*SQLi Vulnerability

DEMO URL:

http://[site]/pages/contact_list_mail_form.asp?ContactID=[sqli]

# 0day n0 m0re #
# L0rd CrusAd3r #

-- 
With R3gards,
L0rd CrusAd3r