‘Multiple SQL Injection Vulnerabilities in DeskPRO’

Summary

DeskPRO is ‘an integrated script to manage your customer sales and support’. The DeskPRO product uses a SQL engine (MySQL) to store information.

The product contains multiple pages that do not adequately filter our user provided data, allowing a remote attacker to insert malicious SQL statements into existing ones.’

Credit:

‘The information has been provided by SecurITeam Experts.’


Details

Vulnerable systems:
 * DeskPRO version 1.1.0 and prior

Immune systems:
 * DeskPRO version 1.1.2

Examples:
http://vulsite.com/deskpro_v1/faq.php?cat=45′
http://vulsite.com/deskpro_v1/faq.php?article=105′
http://vulsite.com/deskpro_v1/view.php?ticketid=1’&ticket_pass=

The vulnerability is better emphasized by the fact that a remote attacker can logon into the system with the administrator username without knowing the password by entering the following information in the logon screen:

Email: admin
Password: ‘or”=’

Vendor response:
On the 21st of Sep 2003 this issue was reported to DeskPRO, the following reply was received on the same day:
Thank you for the notification, we will have a fix within 24 hours. We appreciate keeping the information out of the public domain until we have had time to fix and release a patch.’

On the 2nd of Oct 2003 after the majority of their customers patched the issue, we have decided to release this advisory.’

Categories: UNIX