DeskPRO v1.1.0 and below do not adequately filter user provided data, allowing a remote attacker to insert malicious SQL statements into existing ones. Allows attackers to login to the system as an administrator without knowing the password.
983ccb3475e6d82e382857c1d96466127ac14546a3310ec3ddb85f10f737178d
Multiple SQL Injection Vulnerabilities in DeskPRO
-------------------------------------------------------------------------
Article reference:
http://www.securiteam.com/unixfocus/6R0052K8KM.html
SUMMARY
DeskPRO (http://www.deskpro.com) is "an integrated script to manage your
customer sales and support". The DeskPRO product uses a SQL engine (MySQL) to
store information.
The product contains multiple pages that do not adequately filter our user
provided data, allowing a remote attacker to insert malicious SQL statements
into existing ones.
DETAILS
Vulnerable systems:
* DeskPRO version 1.1.0 and prior
Immune systems:
* DeskPRO version 1.1.2
Examples:
http://vulsite.com/deskpro_v1/faq.php?cat=45'
http://vulsite.com/deskpro_v1/faq.php?article=105'
http://vulsite.com/deskpro_v1/view.php?ticketid=1'&ticket_pass=
The vulnerability is better emphasized by the fact that a remote attacker can
logon into the system with the administrator username without knowing the
password by entering the following information in the logon screen:
Email: admin
Password: 'or''='
Vendor response:
On the 21st of Sep 2003 this issue was reported to DeskPRO, the following
reply was received on the same day:
"Thank you for the notification, we will have a fix within 24 hours. We
appreciate keeping the information out of the public domain until we have had
time to fix and release a patch."
On the 2nd of Oct 2003 after the majority of their customers patched the
issue, we have decided to release this advisory.
The information has been provided by SecurITeam Experts
<expert@securiteam.com>.
--
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.com
http://www.SecuriTeam.com
Know that you're safe:
http://www.AutomatedScanning.com