Outfront Spooky 2.x - Login SQL Query Manipulation Password

EDB-ID:

21434




Platform:

ASP

Date:

2002-05-02


source: https://www.securityfocus.com/bid/4661/info

Spooky Login is a commerical web access control and account management software package. It is distributed and maintained by Outfront, and is designed for Microsoft IIS Webservers.

Under some circumstances, it may be possible for a remote user to gain unauthorized access to pages protected by Spooky Login. The problem is a SQL query manipulation vulnerability in the authentication component.

It is possible for remote attackers to corrupt the logic of queries such that a successful login will occur regardless of the supplied password. 

User: admin (this selects the first index from the table)
Password: ' OR ''='