Deskpro Multiple Input Validation Vulnerabilities
BID:21248
Info
Deskpro Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 21248 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Nov 22 2006 12:00AM |
| Updated: | Nov 23 2006 05:50PM |
| Credit: | Tal Argoni and LegendaryZion are credited with the discovery of these vulnerabilities. |
| Vulnerable: |
DeskPro DeskPro 2.0.1 DeskPro DeskPro 2.0 |
| Not Vulnerable: | |
Discussion
Deskpro Multiple Input Validation Vulnerabilities
Deskpro is prone to multiple input-validation vulnerabilities because the application fails to sufficiently sanitize user-supplied input. These issues include multiple HTML-injection issues and an unauthorized file-access vulnerability.
Exploiting these issues may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials to control how the site is rendered to the user and to access arbitrary files within the context of the affected webserver.
Versions 2.0.1 and 2.0.0 are vulnerable to these issues; other versions may also be affected.
Deskpro is prone to multiple input-validation vulnerabilities because the application fails to sufficiently sanitize user-supplied input. These issues include multiple HTML-injection issues and an unauthorized file-access vulnerability.
Exploiting these issues may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials to control how the site is rendered to the user and to access arbitrary files within the context of the affected webserver.
Versions 2.0.1 and 2.0.0 are vulnerable to these issues; other versions may also be affected.
Exploit / POC
Deskpro Multiple Input Validation Vulnerabilities
Attackers can exploit these issues via a web client.
Attackers can exploit these issues via a web client.
Solution / Fix
Deskpro Multiple Input Validation Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]:[email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]:[email protected].