| Check Point Reference: |
CPAI-2009-217 |
| Date Published: |
24 Jul 2009 |
| Severity: |
High
|
| Last Updated: |
Thursday 01 January, 2009 |
| Source: |
SecurityTracker Alert ID: 1020442 |
| Industry Reference: | CVE-2008-2991 |
| Protection Provided by: |
|
| Who is Vulnerable? | RoboHelp Server 6
RoboHelp Server 7 |
| Vulnerability Description |
Adobe RoboHelp Server is vulnerable to a SQL injection attack. A remote attacker can trigger this vulnerability by sending a specially crafted URL to a vulnerable installation of RoboHelp Server. An attacker would need to have access to the RoboHelp Help Errors log, or convince someone with access to the RoboHelp Help Errors log to click on a malicious URL, in order to execute the attack. An exploit can lead to disclosure of sensitive information and loss of data. |
| Update/Patch Avaliable | The vendor, Adobe Systems, has released an advisory addressing this vulnerability: http://www.adobe.com/support/security/bulletins/apsb08-16.html |
| Vulnerability Details | The flaw is due to insufficient sanitization of user input. A remote authenticated attacker may trigger this vulnerability by sending a crafted HTTP request to the target server. Successful attack may allow for execution of arbitrary SQL statements within the RoboHelp back-end database. |
Feedback