[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [SePro Bugtraq] SQL-Injection in PerlDesk 1.x
From: <deluxe () security-project ! org>
Date: 2005-02-07 21:31:18
Message-ID: 20050207213118.8499.qmail () www ! securityfocus ! com
[Download RAW message or body]
SQL-Injection in PerlDesk
Discovered by deluxe89 and Astovidatu
[ www.security-project.org ]
Vendor: LogicNow
Homepage: http://www.perldesk.com/
Vulnerable versions: 1.x
Login required: no
Description:
"PerlDesk is a feature packed web based help desk and email management application \
designed to streamline the operation of managing emails or support requests, with \
built in tracking and response logging. It is an ideal help desk solution for \
companies with one or more members of staff or for those who want to organise client \
support." (direct quote from www.perldesk.com)
Summary:
PerlDesk has got a SQL-Injection vulnerability, which allows potential users to read \
informations from the database. The "view"-parameter isn't filtered, so an attacker \
can manipulate the query.
Proof of Concept:
[code=vulnerable]
if ($ENV{'QUERY_STRING'} =~ /^view/)
{
$id = $q->param('view');
$statement = 'SELECT * FROM perlDesk_kb_entries WHERE id = ' . "$id";
[/code]
As one can see the "view"-parameter is stored in $id which is then passed to the \
SQL-Statement completely unfiltered. Using a malformed query string one can exploit \
this issue.
For example "http://www.site.com/dir/kb.cgi?view=0 UNION SELECT \
1,3,password,username,3,7 FROM users"
If the user table is named "users", this query will read the username and password.
The same report but with exploit code can be found at:
http://www.security-project.org/projects/board/showthread.php?p=5172#post5172
Patch:
Upgrade to version 2.x.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic