|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
h2desk helpdesk path disclosure vulnerability
joseph.giron13
gmail.com
Date: Sat Mar 01 2008 - 08:31:00 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Heathco's h2desk helpdesk ticking system provides a ticketing solution for small and large organizations alike. Blah blah.
On to the exploit. h2desk's session handling is custom and doesnt use the standard phpsession id handling. As a result, if you add a tic (') or any other invalid character to the session ID (stored within a cookie) you get a nice path disclosure.
Also, you can access the database dump utility without admin rights. helpdesk/index.php?pid=databasedump
This can be used to dump the users table.
No patch, no fix. Have fun.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]