by r0t,der4444,cembo,VietMafia

Thursday, November 24, 2005

HelpDeskPoint Free Help Desk Software SQL inj.

HelpDeskPoint Free Help Desk Software SQL inj.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:http://helpdeskpoint.com
affected version: 2.38 and prior


Product Description:

HelpDeskPoint.com Welcomes you to one of the most advanced help desk support software packages released to the open source community. This help desk application will allow your organization the flexibility it needs to quickly respond to trouble ticket calls. Our help desk support software is written in php and using a My Sql backend. Installing the support software is simple, requiring no programming knowledge. Everything about the help desk software is customizable trough the help desk administrator interface. Please take some time and look around our site, you will find we have provided all the resources necessary to evaluate our help desk support software.


Vuln. Description:

Input passed to the "page" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/index.php?page=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew