DeskPRO multiple scripts allow SQL injection
| deskpro-multiple-sql-injection (13391) |  Medium Risk |
Description:
DeskPRO is vulnerable to SQL injection. A remote attacker could insert arbitrary SQL code in multiple parameters in a request to multiple scripts, such as faq.php script and view.php script, which would allow the attacker to add, modify or delete user information in the backend database.
Platforms Affected:
- DeskPRO, DeskPRO 1.1.0 and prior
Remedy:
Upgrade to the latest version of DeskPRO (1.1.2 or later), available from the DeskPRO.com Web page. See References.
Consequences:
Obtain Information
References:
- DeskPRO.com Web site, DeskPRO.com Home at http://www.deskpro.com/index.php.
- SecuriTeam Mailing List, UNIX focus 9 Oct 2003, Multiple SQL Injection Vulnerabilities in DeskPRO at http://www.securiteam.com/unixfocus/6R0052K8KM.html.
- BID-8799: DeskPro Remote SQL Injection Vulnerability
- BID-8856: DeskPro Multiple SQL Injection Vulnerabilities
- CVE-2003-0874: Multiple SQL injection vulnerabilities in DeskPRO 1.1.0 and earlier allow remote attackers to insert arbitrary SQL and conduct unauthorized activities via (1) the cat parameter in faq.php, (2) the article parameter in faq.php, (3) the tickedid parameter in view.php, and (4) the Password entry on the logon screen.
Reported:
Oct 09, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net