[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] ZH2004-13SA (security advisory): Sql Injection in Help Desp Pro 2.0 (Corrected version)

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] ZH2004-13SA (security advisory): Sql Injection in Help Desp Pro 2.0 (Corrected version)
From: "D'Amato Luigi" <admin@xxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 26 Jun 2004 12:35:27 +0100

06/26/2004
 
26/06/2004

ZH2004-10SA (security advisory): Sql Injection in Help Desp Pro 2.0 
Discovered: June 1st 2004 

Vendor contacted: June 1st 2004
Published: June 26th 2004 

Title: Help Desk Pro 

Vulnerable versions :2.0 unpatched 

Type: Sql Injection 

Author: D'Amato Luigi from Zone-h Security Labs - securitywireless@xxxxxxxxx - 
admin@xxxxxxxxxxxxxxxxxxxxx 

Vendor: http://www.websoft.it/ 


Description 

**********
Zone-H Security Team has discovered a flaw in Securityin Help Desk Pro. This 
vulnerability could allow malicious 
attackers to bypass the authentication mechanish without having an account 

Detail 

******************************************** 

Due to an improper login validation in the login page it is possible to bypass 
the authentication mechanism 

Solution 

********** 

The vendor has been contacted and has released a patch 


--- 

D'Amato Luigi from Zone-h Security Labs - 
securitywireless@xxxxxxxxx - 
admin@xxxxxxxxxxxxxxxxxxxxx
Admin Security Wireless
http://www.securitywireless.info
 
http://www.zone-h.org/en/advisories/read/id=4891/

Prev by Date: Re: [Full-Disclosure] defamatory joe job attack by botnet
Next by Date: Re: [Full-Disclosure] "Sample" not running but preventing Win2k fromShutdown
Previous by thread: Re: [Full-Disclosure] "Sample" not running but preventing Win2k from Shutdown
Next by thread: [Full-Disclosure] multiple scanning engines
Index(es):
- Date
- Thread