CVE-2011-2149

Name of the Vulnerable Software and Affected Versions SmarterTools SmarterStats version 6.0

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via certain parameters to specific API endpoints such as "Admin/frmSite.aspx", "Default.aspx", "Services/SiteAdmin.asmx", or "Client/frmViewReports.aspx". Additionally, certain cookies to "Services/SiteAdmin.asmx" or "login.aspx", the Referer HTTP header to "Services/SiteAdmin.asmx" or "login.aspx", or the User-Agent HTTP header to "Services/SiteAdmin.asmx" can also be used for exploitation.

Recommendations For SmarterTools SmarterStats version 6.0, consider disabling access to the vulnerable API endpoints "Admin/frmSite.aspx", "Default.aspx", "Services/SiteAdmin.asmx", and "Client/frmViewReports.aspx" until a patch is available. Restrict the use of certain cookies and limit the information sent in the Referer and User-Agent HTTP headers to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.