Date: Thu, 21 May 2009 09:14:22 -0600
From: [email protected]
To: [email protected]Subject: DDIVRT-2009-25 IPsession SQL Injection Vulnerability
X-Virus-Scanned: antivirus-gw at tyumen.ru
Title
DDIVRT-2009-25 IPsession SQL Injection Vulnerability
Severity
Medium
Date Discovered
March 31, 2009
Discovered By
Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@b13$
Vulnerability Description
IPsession runs a web interface on port 8090 that requires valid login credentials. This interface uses user supplied input to form a database query and is vulnerable to SQL injection. This may be used to bypass authentication.
Solution Description
Limit access to the login page to internal networks and trusted users only.
Tested Systems / Software (with versions)
------------------------------------------
Unknown version on Windows 2003
Vendor Contact
Name: IPcelerate
Website: http://www.ipcelerate.com/ipsession.html
