mailing list archives
Assurent VR - Adobe RoboHelp Server SQL Injection Vulnerability
From: VR-Subscription-noreply () assurent com
Date: Tue, 8 Jul 2008 15:21:45 -0400 (EDT)
Adobe RoboHelp Server SQL Injection Vulnerability
Assurent ID: FSC20080708-10
1. Affected Software
Adobe RoboHelp Server, version 6
Adobe RoboHelp Server, version 7
2. Vulnerability Summary
There exists an SQL injection vulnerability in Adobe RoboHelp Server that allows attackers to inject and execute
statements. The SQL would run against the RoboHelp back-end database within the security context of the
3. Vulnerability Analysis
The vulnerability can be exploited two ways:
1) A remote authenticated attacker may trigger this vulnerability by sending a crafted HTTP request to the target
2) A remote unauthenticated attacker can entice an authenticated user to execute an attack using cross-site
Assurent has confirmed that execution of arbitrary SQL statements is possible. The SQL in such a case would execute
security context of the application's database connection.
4. Vulnerability Detection
Assurent has confirmed the vulnerability in Adobe RoboHelp Server versions 6 and 7.
Apply the vendor patch or block communication from untrusted networks to ports 80/TCP and 443/TCP on affected assets.
6. Vendor Response
Adobe Systems has released a bulletin addressing this vulnerability.
7. Disclosure Timeline
05/09/2008 Reported to vendor
05/09/2008 Initial vendor response
07/08/2008 Coordinated public disclosure
Vulnerability Research Team, Assurent Secure Technologies, a TELUS company
10. About Assurent VRS
Assurent's Vulnerability Research Service (VRS) for security product vendors, and Threat Protection Programs (TPP)
MSPs and enterprise security teams, help to eliminate the significant costs incurred by security product vendors,
and enterprise security teams in responding to and managing critical new security vulnerabilities and other threats
including worm & virus outbreaks and high-risk spyware. The VRS and TPP services are real-time feeds providing
with detailed analysis of the top security vulnerabilities, focused on the specific needs of each group of customers.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Assurent VR - Adobe RoboHelp Server SQL Injection Vulnerability VR-Subscription-noreply (Jul 09)