Bugtraq mailing list archives
Engeman - SQL Injection Vulnerability (vendor url erratum)
From: crashbrz () gmail com
Date: 24 Sep 2009 11:43:44 -0000
Engeman is a Brasilian software for maintenance control. Version tested: 6.x.x and prior. Next versions appears vulnerable too. The attacker can inject sql codes in username textbox: SQL dump affter injection: select nome,senha,diasexp,dataltsen,permitetroca from cfgusr where nome='NULL' OR NOME<>'1' select nomegrupo from cfgusr where ignoragrupo='N' and nome='NULL' OR NOME='1' In firebird the attack have a low impact, but in SQL Server may compromisse the server. **** The version tested is a made in DELPH language, NOT is a Web Software! **** Vendor site: www.engeman.com.br. Plase, give the credits to: Crash and _Sl0t_ - DcLabs TrankĀ“s.
Current thread:
- Engeman - SQL Injection Vulnerability (vendor url erratum) crashbrz (Sep 24)