header-logo
Suggest Exploit
vendor:
MyHelpDesk
by:
SecurityFocus
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: MyHelpDesk
Affected Version From: 20020509
Affected Version To: Earlier
Patch Exists: YES
Related CWE: CVE-2002-1490
CPE: a:myhelpdesk:myhelpdesk
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2002

MyHelpDesk SQL Injection Vulnerability

MyHelpDesk (version 20020509 and earlier) is vulnerable to SQL injection attacks due to lack of input sanitization. By supplying malicious data via CGI parameters, an attacker can modify the logic of a SQL query. For example, the following URL can be used to gain root access: http://[TARGET]/supporter/index.php?t=detailticket&id=root%20me

Mitigation:

Input validation should be performed to ensure that user-supplied data is not used directly as part of SQL statements.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/4971/info

It is reported that MyHelpDesk (version 20020509 and earlier) are vulnerable to SQL injection attacks.

Data supplied by the remote user, via CGI parameters, is used directly as part of SQL statements. As input sanitization is not properly performed, it is possible to modify the logic of a SQL query. 

http://[TARGET]/supporter/index.php?t=detailticket&id=root%20me

Navigation

Suggest Exploit

Services By CQR