Skip Navigation Links.
Introduction to Novo Solutions
Upgrade Guides
Novo Documentation Library
Issues
Release Notes

Release Notes 4.50.04

SECURITY ALERT - SQL INJECTION VULNERABILITY

Versions Affected: All

Issue:

If the Novo software was set for Partial or No Authentication (i.e. Admin - Setup - Core/General Settings - Contacts - Public Authentication was set to Disable Login OR
Enable partial login with simple database authentication) the potential exists for a someone to modify the URL in a very specific way and add malicious code to the database (referred to as a SQL Injection) with the potential to affect all pages in the application causing possible vulnerabilities for users of the application.  If, however, authentication was required, the vulnerability was only exposed to authenticated contacts/end users (the end users that had to login to gain access to the system). 

Resolution:

Update your Novo software to the latest version (v4.50.04) - ASAP.  This update was posted on May 9, 2008. 

Version 4.5:  Update version 4.5
Versions 4.3 and above:  Upgrade to version 4.5
Versions 4.2 and Below:  Request an Upgrade

Updates/Fixes in this Update
Ticket: # Description Product
4572 Manage Questions setting (fix for non-super admins) Novo Knowledge Base
4623 Public AD settings not available with AM License Novo Asset Manager
4692 VbScript Error: Subscript Out of Range (fix for when attachments come in with no name via ATS) Novo Help Desk
4705 3rd Party Authentication Does Not Create End User Roles 3rd Pary Authentication Module
4812 SQL injection Vulnerability Fixed General
4614 ENH: Change Priority Background Color for 1 Column Novo Help Desk
4578 Asset attachments are not opened from the public side Novo Asset Manager