CVE-2003-0377

iisprotect < 2.2 - SQL Injection via GroupName Variable in SiteAdmin.ASP

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2003-0377. PoCs published by Gyrniff.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in IISProtect's web administration interface, allowing execution of arbitrary SQL commands, including the use of `xp_cmdshell` for remote command execution.

Description

SQL injection vulnerability in the web-based administration interface for iisPROTECT 2.2-r4, and possibly earlier versions, allows remote attackers to insert arbitrary SQL and execute code via certain variables, as demonstrated using the GroupName variable in SiteAdmin.ASP.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Gyrniff · textwebappsasp
https://www.exploit-db.com/exploits/22639

This exploit demonstrates a SQL injection vulnerability in IISProtect's web administration interface, allowing execution of arbitrary SQL commands, including the use of `xp_cmdshell` for remote command execution.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: IISProtect (version not specified)
No auth needed
Prerequisites: IISProtect installed on Microsoft IIS · Access to the admin interface URL
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Third Party Advisory mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=105370528728225&w=2

Scores

EPSS 0.0248
EPSS Percentile 82.6%

Details

CWE
CWE-89
Status published
Products (1)
iisprotect/iisprotect < 2.2
Published Jun 16, 2003
Tracked Since Feb 18, 2026