http://www.zone-h.org/en/advisories/read/id=4891/

From: D'Amato Luigi <luigidamato77@yahoo.it>
To: full-disclosure@lists.netsys.com
Date: Sat, 26 Jun 2004 11:59:08 +0100
Subject: [Full-Disclosure] ZH2004-13SA (security advisory): Sql Injection
    in Help Desp Pro 2.0

26/06/2004

ZH2004-10SA (security advisory): Sql Injection in Help Desp Pro 2.0
Date of discovery : 1 Giugno 2004

Date of release  26 Giugno 2004

Nome: Help Desk Pro

Vulnerable Version: 2.0 non patchato

Vulnerability: Sql Injection

Autore: D'Amato Luigi from Zone-h Security Labs -
securitywireless@zone-h.it - admin@securitywireless.info

Vendor: http://www.websoft.it/


Description

**********
Zone-H Security Team has discovered a flaw of securityin Help Desk Pro. This
vulnerability could allow malicious
attackers to bypass the authentication mechanish without having an account

Detail
********************************************
Due to an improper login validation in the login page it is possible to
bypass the authentication mechanism

Solution
**********
The vendor have been contact and have release a patch


--- 

D'Amato Luigi from Zone-h Security Labs -
securitywireless@zone-h.it -
admin@securitywireless.info
Admin Security Wireless
http://www.securitywireless.info

http://www.zone-h.org/en/advisories/read/id=4891/