N/A

SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims.

N/A

N/A

Request Tracker ‘ShowPending’参数SQL注入漏洞

Best Practical Solutions Request Tracker（RT）是美国Best Practical Solutions公司的一套企业级开源问题跟踪系统。该系统具有Bug跟踪、客户服务、自定义工作流等功能。 Request Tracker中存在SQL注入漏洞，该漏洞源于构造SQL查询语句之前，程序没有充分过滤用户提供的输入。攻击者可以利用该漏洞完全控制应用程序，访问或修改数据，或利用底层数据库中潜在的漏洞。RT 4.0.10版本中存在漏洞，其他版本也可能受到影响。

N/A

N/A