Full Disclosure mailing list archives

ZH2004-13SA (security advisory): Sql Injection in Help Desp Pro 2.0 (Corrected version)

From: "D'Amato Luigi" <admin () securitywireless info>
Date: Sat, 26 Jun 2004 12:35:27 +0100

06/26/2004
 
26/06/2004

ZH2004-10SA (security advisory): Sql Injection in Help Desp Pro 2.0 
Discovered: June 1st 2004 

Vendor contacted: June 1st 2004
Published: June 26th 2004 

Title: Help Desk Pro 

Vulnerable versions :2.0 unpatched 

Type: Sql Injection 

Author: D'Amato Luigi from Zone-h Security Labs - securitywireless () zone-h it - admin () securitywireless info 

Vendor: http://www.websoft.it/ 


Description 

**********
Zone-H Security Team has discovered a flaw in Securityin Help Desk Pro. This vulnerability could allow malicious 
attackers to bypass the authentication mechanish without having an account 

Detail 

******************************************** 

Due to an improper login validation in the login page it is possible to bypass the authentication mechanism 

Solution 

********** 

The vendor has been contacted and has released a patch 


--- 

D'Amato Luigi from Zone-h Security Labs - 
securitywireless () zone-h it - 
admin () securitywireless info
Admin Security Wireless
http://www.securitywireless.info
 
http://www.zone-h.org/en/advisories/read/id=4891/

Current thread:

ZH2004-13SA (security advisory): Sql Injection in Help Desp Pro 2.0 (Corrected version) D'Amato Luigi (Jun 26)