[原文]SQL injection vulnerability in the web-based administration interface for iisPROTECT 2.2-r4, and possibly earlier versions, allows remote attackers to insert arbitrary SQL and execute code via certain variables, as demonstrated using the GroupName variable in SiteAdmin.ASP.
The IISProtect web administration interface does not properly sanitize user input. This could allow for SQL injection attacks on a Microsoft IIS server running IISProtect.
Successful exploitation could result in a compromise of the IISProtect server, attacks on the database or other consequences.
This example invokes the 'xp_cmdshell' stored procedure to execute the ping command on the host operating system.
Loss of Confidentiality,
Loss of Integrity,
Loss of Availability
iisPROTECT contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the users variables in the admin interface module is not verified properly and will allow an attacker to inject or manipulate SQL queries.
Upgrade to version 2.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.