HTTP: WhatsUp Web Interface SQL Injection
This signature detects SQL injection attempts against Ipswitch WhatsUp Professional. WhatsUp does not sufficiently validate user-supplied data submitted through the WhatsUP Web interface. Attackers can input malformed data to execute arbitrary SQL statements in the WhatsUp database.
Extended Description
WhatsUp Professional is prone to an SQL injection vulnerability affecting its Web-based front end. This issue is due to a failure in the application to properly sanitize user-supplied input to the 'login.asp' script before using it in an SQL query. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. It should be noted that by supplying a 'or' value through the 'password' parameter, an attacker can gain unauthorized access to an affected site.
Affected Products
Ipswitch whatsup_professional_2005
Short Name
HTTP:WHATSUP:WEB-SQL-INJECT
Severity
Minor
Recommended
False
Recommended Action
None
Category
HTTP
Keywords
CVE-2005-1250 Injection Interface SQL Web WhatsUp bid:14039
Release Date
06/24/2005
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
False Positive
Unknown
Vendors
Ipswitch
CVSS Score
7.5