Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: bt1303.txt

Multiple SQL Injection Vulnerabilities in DeskPRO

Multiple SQL Injection Vulnerabilities in DeskPRO

Article reference:


DeskPRO ( is "an integrated script to manage your 
customer sales and support". The DeskPRO product uses a SQL engine (MySQL) to 
store information.
The product contains multiple pages that do not adequately filter our user 
provided data, allowing a remote attacker to insert malicious SQL statements 
into existing ones.


Vulnerable systems:
  * DeskPRO version 1.1.0 and prior

Immune systems:
  * DeskPRO version 1.1.2
The vulnerability is better emphasized by the fact that a remote attacker can 
logon into the system with the administrator username without knowing the 
password by entering the following information in the logon screen:
 Email: admin
 Password: 'or''='
 Vendor response:
On the 21st of Sep 2003 this issue was reported to DeskPRO, the following 
reply was received on the same day:
"Thank you for the notification, we will have a fix within 24 hours. We 
appreciate keeping the information out of the public domain until we have had 
time to fix and release a patch."
 On the 2nd of Oct 2003 after the majority of their customers patched the 
issue, we have decided to release this advisory.

The information has been provided by SecurITeam Experts 

Aviram Jenik
Beyond Security Ltd.

Know that you're safe:

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH