NetSupport DNA HelpDesk problist.asp where Variable SQL Injection

2004-07-22T05:00:17
ID OSVDB:8169
Type osvdb
Reporter Noam Rathaus(expert@securiteam.com)
Modified 2004-07-22T05:00:17

Description

Vulnerability Description

NetSupport DNA HelpDesk contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the 'where' parameter in problist.asp is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

NetSupport DNA HelpDesk contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the 'where' parameter in problist.asp is not verified properly and will allow an attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://www.netsupportsoftware.com/ Secunia Advisory ID:12119 Other Advisory URL: http://www.securiteam.com/windowsntfocus/5PP0L0ADGE.html ISS X-Force ID: 16782 CVE-2004-2737 Bugtraq ID: 10772