deskpro.sql.txt

`Multiple SQL Injection Vulnerabilities in DeskPRO  
-------------------------------------------------------------------------  
  
Article reference:   
http://www.securiteam.com/unixfocus/6R0052K8KM.html  
  
SUMMARY  
  
DeskPRO (http://www.deskpro.com) is "an integrated script to manage your   
customer sales and support". The DeskPRO product uses a SQL engine (MySQL) to   
store information.  
The product contains multiple pages that do not adequately filter our user   
provided data, allowing a remote attacker to insert malicious SQL statements   
into existing ones.  
  
  
DETAILS  
  
Vulnerable systems:  
* DeskPRO version 1.1.0 and prior  
  
Immune systems:  
* DeskPRO version 1.1.2  
  
Examples:  
http://vulsite.com/deskpro_v1/faq.php?cat=45'  
http://vulsite.com/deskpro_v1/faq.php?article=105'  
http://vulsite.com/deskpro_v1/view.php?ticketid=1'&ticket_pass=  
  
The vulnerability is better emphasized by the fact that a remote attacker can   
logon into the system with the administrator username without knowing the   
password by entering the following information in the logon screen:  
  
Email: admin  
Password: 'or''='  
  
Vendor response:  
On the 21st of Sep 2003 this issue was reported to DeskPRO, the following   
reply was received on the same day:  
"Thank you for the notification, we will have a fix within 24 hours. We   
appreciate keeping the information out of the public domain until we have had   
time to fix and release a patch."  
  
On the 2nd of Oct 2003 after the majority of their customers patched the   
issue, we have decided to release this advisory.  
  
  
The information has been provided by SecurITeam Experts   
<[email protected]>.   
  
--   
Aviram Jenik  
Beyond Security Ltd.  
http://www.BeyondSecurity.com  
http://www.SecuriTeam.com  
  
Know that you're safe:  
http://www.AutomatedScanning.com  
`