CVE-2005-3383

An attacker sends a crafted HTTP POST request to the login page, supplying a malicious SQL payload in the `userid` parameter while providing an arbitrary `passwd` value [ref_id=1]. Because the script does not sanitize the `userid` input, the injected SQL commands execute against the underlying database, allowing the attacker to bypass authentication and log in as a low-level user without knowing valid credentials [ref_id=1]. The attack requires only network access to the target web server and no prior authentication.

The vulnerability exists in the `/admin/login.asp` page of Techno Dreams Announcement Script, Guestbook Script, and WebDirectory Script, and in the `/login.asp` page of the Mailing List Script [ref_id=1]. The `userid` parameter is not properly validated before being used in SQL queries [ref_id=1].

No patch has been released by the vendor [ref_id=1]. The advisory recommends that input to the `userid` parameter be properly validated and sanitized to prevent SQL injection [ref_id=1]. Without a fix, administrators should apply input filtering or use parameterized queries in the login ASP pages to block malicious SQL payloads.

The advisory includes a proof-of-concept HTML form that submits a POST request to `http://[target]/admin/login.asp` (or `/login.asp` for the Mailing List script) with a `userid` parameter containing a SQL injection payload and a `passwd` value of `1` [ref_id=1]. An attacker can replace `[SQL Injection]` with a crafted SQL string to bypass authentication [ref_id=1].