Port80 · Iisprotect · CVE-2003-0377
Name of the Vulnerable Software and Affected Versions:
iisPROTECT versions 2.2-r4 and earlier
Description:
The issue allows remote attackers to insert arbitrary SQL and execute code via certain variables, such as the `GroupName` variable in the `SiteAdmin.ASP` page. This can be exploited by attackers to gain unauthorized access.
Recommendations:
For iisPROTECT versions 2.2-r4 and earlier, consider restricting access to the `SiteAdmin.ASP` page and avoid using the `GroupName` variable until a fix is available. As a temporary workaround, restrict the use of variables that can be used for SQL injection in the web-based administration interface.