GEN:SID | 1:2117 |
Message | WEB-IIS Battleaxe Forum login.asp access |
Summary | This event is generated when an attempt is made to access the file myaccount/login.asp in the BTTLXE Forum application from Battleaxe Software.
|
Impact | Possible theft of data and control of the targeted application leading to a compromise of all resources on the machine not limited to user accounts and business data.
|
Detailed Information | The BTTLXE Forum is a web application used for web-based discussion forums.
A vulnerability exists such that an attacker may gain control of the application via an SQL injection technique. One such scenario allows an attacker to access the system by supplying a specific password without a username in the login page.
Affected Systems: All versions of BTTLXE Forum software.
|
Affected Systems | |
Attack Scenarios | The attacker may login to the Forum with the password 'or''='
|
Ease of Attack | Simple.
|
Corrective Action | Refer to the vendor notification and fix information at http://www.battleaxesoftware.com/forums/forum.asp?forumid=36&select=1812
|
Additional References | CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0215
Bugtraq: http://www.securityfocus.com/bid/7416
Vendor: http://www.battleaxesoftware.com/forums/forum.asp?forumid=36&select=1812
|
Rule References | bugtraq: 7416
cve: 2003-0215
|