https://www.exploit-db.com/exploits/22529
https://www.securityfocus.com/bid/82825
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200305-020

bttlxeForum是一款基于EWB的论坛程序，由ASP实现。bttlxeForum包含的’login.asp’对外部提供的数据缺少充分过滤，远程攻击者可以利用这个漏洞无需验证访问应用程序。软件对用户提供的用户名和密码字段(可能其他字段)缺少正确的过滤，没有删除一些SQL命令字符，就直接提交给数据库解析，攻击者提交包含恶意SQL命令的用户名和字段，可以绕过验证，直接访问应用系统。

source: http://www.securityfocus.com/bid/7416/info

bttlxe Forum is a web-based discussion forum implemented in ASP.

An SQL injection vulnerability has been reported to affect the 'login.asp' page of bttlxe Forum.

The condition is reportedly due to insufficient sanitization of externally supplied data that is used to construct SQL queries. This data may be supplied via the 'password' field during the authentication process. The consequences may vary depending on the particular database implementation and the nature of the specific queries. One scenario reported was bypassing the bttlxe forum authentication system, however other attacks may also be possible.

Log into a vulnerable forum using the following password:
'or''='

A username is not required.

Battleaxe Software Bttlxeforum 2.0 Beta 3

来源:www.battleaxesoftware.com
链接:http://www.battleaxesoftware.com/forums/forum.asp?forumid=36&select;=1812
来源:BUGTRAQ
名称:20030424SQLinjectioninBttlxeForum
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=105120052725940&w;=2
来源:SECTRACK
名称:1006632
链接:http://securitytracker.com/id?1006632