('binary' encoding is not supported, stored as-is) Regarding : AdMentor v2.11 and earlier
Homepage: http://www.aspcode.net

AdMentor allows any user to login as admin.

The base path of the login is usually :

http://www.someserver.com/admentor/admin/admin.a
sp

By using Login : ' or ''=' , and Password : ' or ''='
We create a legal query because it will get appended
as :SELECT row FROM table WHERE login = '' or
''=''

Same goes for the password. This allows us to login
without any trouble as the main admin. Vendor has
been warned of the bug, but has not released a patch
yet. Temporary solution, filter out the bad chars ' " ~ \
/ by using the following piece of javascript :

function RemoveBad(strTemp) {
    strTemp = strTemp.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|
\-/g,"");
    return strTemp; }

And calling it from within the asp script :

var login = var TempStr = RemoveBad
(Request.QueryString("login"));

var password = var TempStr = RemoveBad
(Request.QueryString("password"));

Iam not sure about the correct vars set in the form,
you might want to tweak it just a bit. Havent drunk my
coffee yet :)

Credits:

Bug found by thran, thran60hotmail.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]