OSVDB ID: 21988

Title: Cerberus Helpdesk Support Center attachment_send.php file_id Parameter SQL Injection

Info

Disclosure

Dec 20, 2005

Discovery

Nov 15, 2005

Dates

Exploit

Unknown

Solution

Unknown

Description

Cereberus Helpdesk Support Center contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the attachment_send.php script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Rumored
Disclosure: Vendor Verified
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

WebGroup Media LLC	Cerberus Helpdesk Support Center	3.2.0pr2
		2.649

References

Secunia Advisory ID: 18112
CVE ID: 2005-4427 (see also: NVD)
Related OSVDB ID: 21989 21990 21991 21992 21993 21994 21995
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0949.html
Vendor Specific News/Changelog Entry: http://forum.cerberusweb.com/showthread.php?s=&postid=30315
http://www.cerberusweb.com/devblog/index.php?p=70
Vendor URL: http://www.cerberusweb.com/

Credit

A. Ramos - aramosfunsec.net - Personal Page

Direct URL: http://osvdb.org/21988

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

WebGroup Media LLC

Cerberus Helpdesk Support Center

References

Credit