Info

Disclosure

Sep 03, 2007

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

PHD Help Desk contains flaws that may allow an attacker to carry out an SQL injection attack. The issue is due to user supplied input not being properly sanitized before being used in SQL queries and passed to unspecified variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Unknown
Disclosure: Vendor Verified
OSVDB: Web Related

Solution

Upgrade to version 1.31 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

PHD	Help Desk	1.21
		1.2
		1.15
		1.1
		1.05
		1.0
		0.88
		1.3

References

CVE ID: 2007-4716 (see also: NVD)
Bugtraq ID: 25517
Secunia Advisory ID: 26688
ISS X-Force ID: 36431
VUPEN Advisory: ADV-2007-3039
Vendor Specific News/Changelog Entry: http://sourceforge.net/forum/forum.php?forum_id=731460
http://sourceforge.net/project/shownotes.php?release_id=536503&group_id=170208
Other Advisory URL: http://sourceforge.net/project/shownotes.php?release_id=536503

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/36789