Cerberus Helpdesk GUI structs.php cer_email_address_struct Function SQL Injection

2005-12-20T00:00:00
ID OSVDB:21991
Type osvdb
Reporter A. Ramos(aramos@funsec.net)
Modified 2005-12-20T00:00:00

Description

Vulnerability Description

Cerberus Helpdesk contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'structs.php' script not properly sanitizing user-supplied input to the 'cer_email_address_struct' function. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Webgroup Media LLC has released a patch to address this vulnerability.

Short Description

Cerberus Helpdesk contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'structs.php' script not properly sanitizing user-supplied input to the 'cer_email_address_struct' function. This may allow an attacker to inject or manipulate SQL queries in the backend database.

References:

Vendor URL: http://www.cerberusweb.com/ Vendor Specific News/Changelog Entry: http://www.cerberusweb.com/devblog/index.php?p=70 Vendor Specific News/Changelog Entry: http://forum.cerberusweb.com/showthread.php?s=&postid=30315 Secunia Advisory ID:18112 Related OSVDB ID: 21988 Related OSVDB ID: 21993 Related OSVDB ID: 21989 Related OSVDB ID: 21992 Related OSVDB ID: 21994 Related OSVDB ID: 21990 Related OSVDB ID: 21995 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0949.html