header-logo
Suggest Exploit
vendor:
Spooky Login
by:
SecurityFocus
8.8
CVSS
HIGH
SQL Query Manipulation
89
CWE
Product Name: Spooky Login
Affected Version From: Spooky Login 2.0
Affected Version To: Spooky Login 2.0
Patch Exists: YES
Related CWE: N/A
CPE: a:outfront:spooky_login
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Microsoft IIS Webservers
2002

Spooky Login

Spooky Login is a commerical web access control and account management software package designed for Microsoft IIS Webservers. Under some circumstances, it may be possible for a remote user to gain unauthorized access to pages protected by Spooky Login due to a SQL query manipulation vulnerability in the authentication component. By supplying a username of 'admin' and a password of ' OR ''=' it is possible for remote attackers to corrupt the logic of queries such that a successful login will occur regardless of the supplied password.

Mitigation:

Outfront has released a patch to address this issue.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/4661/info

Spooky Login is a commerical web access control and account management software package. It is distributed and maintained by Outfront, and is designed for Microsoft IIS Webservers.

Under some circumstances, it may be possible for a remote user to gain unauthorized access to pages protected by Spooky Login. The problem is a SQL query manipulation vulnerability in the authentication component.

It is possible for remote attackers to corrupt the logic of queries such that a successful login will occur regardless of the supplied password. 

User: admin (this selects the first index from the table)
Password: ' OR ''='

Navigation

Suggest Exploit

Services By CQR