LBE Web HelpDesk jobedit.asp id Variable SQL Injection

2004-07-22T05:21:47
ID OSVDB:8181
Type osvdb
Reporter Noam Rathaus(expert@securiteam.com)
Modified 2004-07-22T05:21:47

Description

Vulnerability Description

LBE Web HelpDesk contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the 'id' parameter within jobedit.asp is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Upgrade to version 4.0.0.81 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

LBE Web HelpDesk contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the 'id' parameter within jobedit.asp is not verified properly and will allow an attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://www.lbehelpdesk.com/ Secunia Advisory ID:12123 Packet Storm: http://packetstormsecurity.nl/0407-exploits/LBEhelpdesk.txt Other Advisory URL: http://www.securiteam.com/windowsntfocus/5QP0M0ADGI.html ISS X-Force ID: 16779 CVE-2004-2562 Bugtraq ID: 10773