[原文]SQL injection vulnerability in index.php for MyHelpDesk 20020509, and possibly other versions, allows remote attackers to conduct unauthorized activities via SQL code in the "id" parameter for the operations (1) detailticket, (2) editticket, or (3) updateticketlog.
It is reported that MyHelpDesk (version 20020509 and earlier) are vulnerable to SQL injection attacks.
Data supplied by the remote user, via CGI parameters, is used directly as part of SQL statements. As input sanitization is not properly performed, it is possible to modify the logic of a SQL query.
MyHelpDesk contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'id' variable. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.