Web Helpdesk jobedit.asp SQL injection
| webhelpdesk-jobedit-sql-injection (16779) |  Medium Risk |
Description:
Web Helpdesk from Leigh Business Enterprises is vulnerable to SQL injection, caused by a vulnerability in the jopbedit.asp script. A remote attacker could insert malicious SQL code in the id variable in a specially-crafted URL request, which would allow the attacker to create a new user account with operator privileges.
Platforms Affected:
- Leigh Business Enterprises, Web Helpdesk 4.0.0.80 and prior
Remedy:
Upgrade to the latest version of Web Helpdesk (4.0.0.81 or later), available from the Web Helpdesk Web page. See References.
Consequences:
Gain Access
References:
- SecuriTeam Mailing List, Windows NT focus 21 July 2004, LBE Web HelpDesk SQL Injection at http://www.securiteam.com/windowsntfocus/5QP0M0ADGI.html.
- Web Helpdesk Web page, Help Desk software from LBE at http://www.lbehelpdesk.com/helpdesk-latest.htm.
- BID-10773: Leigh Business Enterprises Web HelpDesk SQL Injection Vulnerability
- CVE-2004-2562: SQL injection vulnerability in jobedit.asp in Leigh Business Enterprises (LBE) Web Helpdesk before 4.0.0.81 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- OSVDB ID: 8181: LBE Web HelpDesk jobedit.asp id Variable SQL Injection
- SA12123: LBE Web HelpDesk SQL Injection
Reported:
Jul 21, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net