PT-2011-19: SQL injection vulnerability in Help Request System Vulnerable softwareHelp Request System Version 1.1a and earlierApplication link: http://freehelpdesk.org/ Severity levelSeverity level: High Impact: SQL injection Access Vector: Remote CVSS v2: Base Score: 7.5 Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)CVE: not assignedSoftware descriptionHelp Desk Software is a simple powerful Help Desk Software solution.Vulnerability descriptionPositive Research Center has discovered an SQL injection vulnerability in Help Request System. Application incorrectly validates input data. That allows attackers to conduct SQL injection attack."SQL Injection" is a way to bypass network protection and attack the database. Settings transferred to the database through web applications are specially crafted to modify executable SQL query, for example, an attacker could execute additional query with the first one by adding different characters.An attacker can use the vulnerability to obtain access to data which is normally unavailable or obtain system configuration data which can be used for further attacks. For example, modified query may return hashed user passwords which could be decrypted with brute force attack. How to fixUpdate your software up to the latest versionAdvisory status 07.07.2011 - Vendor is notified 15.07.2011 - Vendor gets vulnerability details 16.07.2011 - Vendor releases fixed version and details 24.08.2011 - Public disclosureCreditsThe vulnerability was detected by Yuri Goltsev, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2011-19Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/advisory1.aspx http://en.securitylab.ru/lab/
