Update: 1:15 AM 6/28/2005 Subject: " QuickWeb Administration Vulnerability " Vulnerable version: Dynamic Biz Website Builder (QuickWeb) 1.0 Description: Quickweb is an easy to use, self-administrating website that allows your company's personnel to add, edit, and delete web site content with no programming or HTML knowledge. QuickWeb is an easy to use, database-driven website. Vulnerability: The administration page is so vulnerability to get access admin privallage. Use method SQL Injection in the form admin login,after succesfull logged, we can run as Admininistration of website. Sample of SQL Injection: .dweb/login.asp User ID : admin Password : 'or '=' W00t! we have g0t Admin land... Solution: Vendor has being notified Vendor URL: Website - http://www.etoshop.com/html-pro/dweb.html Email - support@etoshop.com Published: basher13 (Infam0us Gr0up - Securiti Research) basher13@linuxmail.org / infamous.2hell.com