Title ----- DDIVRT-2009-25 IPsession SQL Injection Vulnerability Severity -------- Medium Date Discovered --------------- March 31, 2009 Discovered By ------------- Digital Defense, Inc. Vulnerability Research Team Credit: David Marshall and r@b13$ Vulnerability Description ------------------------- IPsession runs a web interface on port 8090 that requires valid login credentials. This interface uses user supplied input to form a database query and is vulnerable to SQL injection. This may be used to bypass authentication. Solution Description -------------------- Limit access to the login page to internal networks and trusted users only. Tested Systems / Software (with versions) ------------------------------------------ Unknown version on Windows 2003 Vendor Contact -------------- Name: IPcelerate Website: http://www.ipcelerate.com/ipsession.html
