Full Disclosure mailing list archives

ZH2004-13SA (security advisory): Sql Injection in Help Desp Pro 2.0

From: "D'Amato Luigi" <luigidamato77 () yahoo it>
Date: Sat, 26 Jun 2004 11:59:08 +0100

26/06/2004

ZH2004-10SA (security advisory): Sql Injection in Help Desp Pro 2.0
Date of discovery : 1 Giugno 2004

Date of release  26 Giugno 2004

Nome: Help Desk Pro

Vulnerable Version: 2.0 non patchato

Vulnerability: Sql Injection

Autore: D'Amato Luigi from Zone-h Security Labs -
securitywireless () zone-h it - admin () securitywireless info

Vendor: http://www.websoft.it/


Description

**********
Zone-H Security Team has discovered a flaw of securityin Help Desk Pro. This
vulnerability could allow malicious
attackers to bypass the authentication mechanish without having an account

Detail
********************************************
Due to an improper login validation in the login page it is possible to
bypass the authentication mechanism

Solution
**********
The vendor have been contact and have release a patch


--- 

D'Amato Luigi from Zone-h Security Labs -
securitywireless () zone-h it -
admin () securitywireless info
Admin Security Wireless
http://www.securitywireless.info

http://www.zone-h.org/en/advisories/read/id=4891/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

flaw in php_exec_dir patch VeNoMouS (Jun 22)
- Re: flaw in php_exec_dir patch npguy (Jun 24)
  - Re: flaw in php_exec_dir patch Tim (Jun 25)
    - Re: flaw in php_exec_dir patch VeNoMouS (Jun 26)
  - Re: flaw in php_exec_dir patch VeNoMouS (Jun 25)
    - Re: flaw in php_exec_dir patch npguy (Jun 26)
    - ZH2004-13SA (security advisory): Sql Injection in Help Desp Pro 2.0 D'Amato Luigi (Jun 26)