Security Advisories | SQL Injection | MSN SQL Injection Vulnerability

Vendor: MSN
Web Site Affected: http://server1.msn.co.in/wallpaper/userchoose.asp
Type: SQL Injection
Severity: Critical
Date released: 29th December 2005

I. Description
A SQL Injection Vulnerability has been reported in the MSN India Web site. The Vulnerability allows an attacker to run arbitrary query on the MSN SQL server. It also reveals some crucial information regarding the database which includes Server name, Database name, and Table name, etc.

Screenshots: The screenshots can be viewed here




II. Impact
The vulnerability allows an attacker to run an arbitrary query on the SQL server

III. Solution
Vendor has been notified.

Vendor's Response
Microsoft responded immediately, and removed the vulnerable pages from the MSN website.



Advisory Listing

SQL Injections

Buffer Overflows

Information Disclosure, Path Disclosure

Denial of Service

User Enumeration

Password Disclosure

Network Intelligence (I) Pvt. Ltd. © 2004 | Copyright | Disclaimer
info@niiconsulting.com