PT-2006-1954 · Ipswitch · Ipswitch Whatsup Professional 2006

Josh Zlatin-Amishav

Published

2006-02-28

Updated

2018-10-18

CVE-2006-0911

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Name of the Vulnerable Software and Affected Versions Ipswitch WhatsUp Professional 2006

Description The issue allows remote attackers to cause a denial of service, specifically CPU consumption, via crafted requests to "Login.asp". This may involve the In and btnLogIn parameters, or malformed btnLogIn parameters, possibly due to missing or incorrect bracket characters. Examples of such crafted requests include "&btnLogIn=[Log&In]=&" or "&b;tnLogIn=[Log&In]=&" in the URL.

Recommendations For Ipswitch WhatsUp Professional 2006, consider restricting access to the "Login.asp" endpoint until a fix is available. As a temporary workaround, avoid using the btnLogIn parameter in the affected API endpoint.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-399

Related Identifiers

CVE-2006-0911

Affected Products

Ipswitch Whatsup Professional 2006

PT-2006-1954 · Ipswitch · Ipswitch Whatsup Professional 2006

CVE-2006-0911

Weakness Enumeration

Related Identifiers

Affected Products

References · 10