InDoors Software InDoorsLogger 7.7 multiple security vulnerabilities

There are multiple security vulnerabilities in InDoorsLogger (IDLogger) version 7.7 which may allow an attacker to take control of the software.

Software

Software Link: InDoors Software InDoorsLogger 7.7

Vulnerable Version: <= 7.7

Vendor Notification:

# 2010-12-20 # Initial Contact

# 2010-12-27 # No reply from vendor # Advisory released

Vulnerabilities

# Information Disclosure # Full Path Disclosure # Does not require authorized session # <= 7.7 # Un-patched

# Cross-Site Scripting (XSS) # Requires authorized session # <= 7.7 # Un-patched

# Blind SQL Injection # Requires authorized session # <= 7.7 # Un-patched

The vulnerabilities are due to failure in "inDepthReport.php" and "detailedStats.php" to properly sanitize user-supplied data in the "query" parameter.

Reference

# OWASP: Cross-Site Scripting

# OWASP: Full Path Disclosure

# OWASP: SQL Injection

Appendix

[TXT] InDoors Software InDoorsLogger 7.7 multiple security vulnerabilities