[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [SePro Bugtraq] SQL-Injection in PerlDesk 1.x
From:       <deluxe () security-project ! org>
Date:       2005-02-07 21:31:18
Message-ID: 20050207213118.8499.qmail () www ! securityfocus ! com
[Download RAW message or body]



SQL-Injection in PerlDesk
 
Discovered by deluxe89 and Astovidatu
[ www.security-project.org ]
 
 
Vendor: LogicNow
Homepage: http://www.perldesk.com/
Vulnerable versions: 1.x
Login required: no
 
 
Description:
"PerlDesk is a feature packed web based help desk and email management application \
designed to streamline the operation of managing emails or support requests, with \
built in tracking and response logging. It is an ideal help desk solution for \
companies with one or more members of staff or for those who want to organise client \
support."  (direct quote from www.perldesk.com)
 
Summary:
PerlDesk has got a SQL-Injection vulnerability, which allows potential users to read \
informations from the database. The "view"-parameter isn't filtered, so an attacker \
can manipulate the query.   
Proof of Concept:
[code=vulnerable]
if ($ENV{'QUERY_STRING'} =~ /^view/)
  {
 
    $id        = $q->param('view');
        $statement = 'SELECT * FROM perlDesk_kb_entries WHERE id = ' . "$id";
[/code]
 
As one can see the "view"-parameter is stored in $id which is then passed to the \
SQL-Statement completely unfiltered. Using a malformed query string one can exploit \
this issue.  
For example "http://www.site.com/dir/kb.cgi?view=0 UNION SELECT \
1,3,password,username,3,7 FROM users"  
If the user table is named "users", this query will read the username and password.
 
 
The same report but with exploit code can be found at:
http://www.security-project.org/projects/board/showthread.php?p=5172#post5172

Patch:
Upgrade to version 2.x.


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic