[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DDIVRT-2009-25 IPsession SQL Injection Vulnerability

DDIVRT-2009-25 IPsession SQL Injection Vulnerability


Date Discovered
March 31, 2009

Discovered By
Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@b13$

Vulnerability Description
IPsession runs a web interface on port 8090 that requires valid login credentials.  This interface uses user supplied input to form a database query and is vulnerable to SQL injection.  This may be used to bypass authentication.

Solution Description
Limit access to the login page to internal networks and trusted users only.

Tested Systems / Software (with versions)
Unknown version on Windows 2003

Vendor Contact
Name: IPcelerate
Website: http://www.ipcelerate.com/ipsession.html