PT-2011-25: SQL injection vulnerabilities in Support Incident Tracker
Version 3.63p1 and earlier
Severity level: High
Impact: SQL injection
Access Vector: Network exploitable
Base Score: 6.5
CVE: not assigned
Support Incident Tracker (or SiT!) is a free software/open source (GPL) web-based application.
Positive Research Center has discovered multiply SQL injection vulnerabilities in Support Incident Tracker. Application incorrectly validates input data, which allows attackers to conduct an SQL injection attack.
"SQL Injection" is a way to bypass network protection and attack the database. Settings transferred to the database through Web applications are specially crafted to modify executable SQL query. For example, an attacker could execute an additional query along with the first one by adding different symbols to a setting.
How to fix
Update your software up to the latest version
13.07.2011 - Vendor is notified
13.07.2011 - Vendor gets vulnerability details
17.07.2011 - Vendor releases fixed version and details
22.07.2011 - Public disclosure
The vulnerability was detected by Yuri Goltsev, Positive Research Center (Positive Technologies Company)
Reports on the vulnerabilities previously discovered by Positive Research Center: