CVE-2010-4186
published 2010-11-05CVE-2010-4186: SQL injection vulnerability in process.asp in OnlineTechTools Online Work Order System (OWOS) Professional Edition 2.10 allows remote attackers to execute…
PriorityP344high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
1.03%
59.4th percentile
SQL injection vulnerability in process.asp in OnlineTechTools Online Work Order System (OWOS) Professional Edition 2.10 allows remote attackers to execute arbitrary SQL commands via the password parameter. NOTE: some of these details are obtained from third party information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| onlinetechtools.com | oasys_professional | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Online Work Order System (OWOS) Professional Edition - Authentication Bypass
exploitdb·2010-11-02
CVE-2010-4186 Online Work Order System (OWOS) Professional Edition - Authentication Bypass
Online Work Order System (OWOS) Professional Edition - Authentication Bypass
---
Author: L0rd CrusAd3r aka VSN [[email protected]]
Exploit Title: Onlinetechtools OWOS: Professional Edition? Authentication Bypass Vulnerability
Version:2.10
Price:900$
Vendor url:http://www.onlinetechtools.com
Published: 2010-11-02
Thanx to:r0073r (inj3ct0r.com), Sid3^effects, MaYur, MA1201, Sonic, M4n0j,SeeMe, Th3 RDX.
Greetz to : Inj3ct0r Exploit DataBase (inj3ct0r.com)
Special Greetz: Topsecure.net,0xr00t.com,Andhrahackers.com
Shoutzz:- To all ICW & Inj3ct0r members.
.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~..~.~.~.~.~~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Description:
Work smarter with OWOS: Professional Edition, the web-based help desk solution.
OWOS Pro helps you
Exploit-DB
Online Work Order Suite - Login SQL Injection
exploitdb·2010-11-02
CVE-2010-4186 Online Work Order Suite - Login SQL Injection
Online Work Order Suite - Login SQL Injection
---
source: https://www.securityfocus.com/bid/44608/info
Online Work Order Suite is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Online Work Order Suite 2.10 is vulnerable; other versions may also be affected.
The following example data is available:
' or 1=1 or ''=''
No writeups or analysis indexed.
http://osvdb.org/68972http://secunia.com/advisories/42111http://www.exploit-db.com/exploits/15397http://www.securityfocus.com/bid/44608https://exchange.xforce.ibmcloud.com/vulnerabilities/62972http://osvdb.org/68972http://secunia.com/advisories/42111http://www.exploit-db.com/exploits/15397http://www.securityfocus.com/bid/44608https://exchange.xforce.ibmcloud.com/vulnerabilities/62972
2010-11-05
Published