Background ---------- "LogiSense Corporation is a leading provider of performance software for service providers and enterprises. We offer a wide range of low-cost solutions designed to address common client billing and management, traffic congestion, network scalability, and latency issues." LogiSense software tested includes Hawk-i Billing, Hawk-i ASP and DNS Manager. These softwares are isp/asp billing systems and a web based dns manager, respectively. Problem(s) ---------- The login forms are vulnerable to sql injection. Login: alskdjflawersadf Password: ' OR ''=' The most obvious implications (besides logging in without a username/pass) is that this could be leveraged to execute arbitrary commands or steal customer information. Vendor Status ------------- The vendor, Logisense, was informed of the problem on 3/6/02 via their published 'support@hawk-i.com' email address, again on 3/20/02 via their support, inquiry, and sales addresses, and some guy named Rich who the support autoresponse was addressed from. The guy named Rich replied the next day and said the bug was in the queue and would be delt with shortly. 3/29/02 I emailed Rich again and asked whats up and he says it will be addressed ASAP. So here it is 6/04/02 and it still hasn't been fixed (at least it still works with their online demos). Work Around ----------- If you use Logisense software, don't let yourself be listed on their list of targe..er, customers. Better yet, don't use software by a vendor who ignores security bugs for three months. You can probably edit the login forms (which are in asp) and add something like dim regex set regex = New RegExp regex.pattern = "[^0-9a-zA-Z]" regex.Global = True cleantext = regex.replace(inputtext, "") I don't have copies of these softwares to try it on so I can not give more detail. -- Edward Fahner Systems Administrator, Quantrex ITG (540) 442-6677 x222 [aka. Akatosh .CU.Au, akatosh@rains.net] DC2.DwGmL--WT--SksCre+\Cvi+BflA(+r-v+++)NaM++H++$FoR+Ac+++!J+S+U-I--#V+++Q+Tc++E--
