OSVDB ID: 21116

Title: Online Work Order Suite Lite Edition search.asp keyword Parameter SQL Injection

Info

Disclosure

Nov 25, 2005

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Online Work Order Suite Lite Edition contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search.asp script not properly sanitizing user-supplied input to the 'keyword' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Unknown
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

OnlineTechTools.com

Online Work Order Suite Lite Edition

3.0

References

Secunia Advisory ID: 17711
CVE ID: 2005-3852 (see also: NVD)
VUPEN Advisory: ADV-2005-2584
Other Advisory URL: http://pridels.blogspot.com/2005/11/owos-lite-30-sql-inj.html
Vendor URL: http://www.onlinetechtools.com/products/owoslite/

Credit

r0t - krustevsgooglemail.com - UNSECURED SYSTEMS

Direct URL: http://osvdb.org/21116