BID:25517

PHD Help Desk Unspecified SQL Injection Vulnerability

Info

PHD Help Desk Unspecified SQL Injection Vulnerability

Bugtraq ID:	25517
Class:	Input Validation Error
CVE:	CVE-2007-4716
Remote:	Yes
Local:	No
Published:	Sep 03 2007 12:00AM
Updated:	May 07 2015 05:35PM
Credit:	The vendor disclosed this vulnerability.
Vulnerable:	PHD Help Desk PHD Help Desk 1.3 PHD Help Desk PHD Help Desk 1.21 PHD Help Desk PHD Help Desk 1.2 PHD Help Desk PHD Help Desk 1.15 PHD Help Desk PHD Help Desk 1.1 PHD Help Desk PHD Help Desk 1.05 PHD Help Desk PHD Help Desk 1.0 PHD Help Desk PHD Help Desk 0.88

Not Vulnerable:	PHD Help Desk PHD Help Desk 1.31

Discussion

PHD Help Desk Unspecified SQL Injection Vulnerability

PHD Help Desk is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions prior to PHD Help Desk 1.31 are vulnerable.

Exploit / POC

PHD Help Desk Unspecified SQL Injection Vulnerability

Attackers can use a browser to exploit this issue.

Solution / Fix

PHD Help Desk Unspecified SQL Injection Vulnerability

Solution:
The vendor released PHD Help Desk 1.31 to address this issue. Please see the references for more information.

PHD Help Desk PHD Help Desk 1.2