[VIM] osTicket 1.6 - Local File Inclusion

George A. Theall theall at tenable.com
Tue Nov 9 08:26:34 CST 2010

Bugtraq ID 44739 / Exploit DB 15471 cover a local file inclusion issue  
reported by d3v11 and affecting the 'module.php' script in osTicket  
1.6. The sample PoC SecurityFocus gives is:


Trouble is, there's no file named 'module.php' in the distribution  
file of osTicket 1.6, either the one I just downloaded from the  
project itself or the one attached to the EDB advisory itself.

To me this looks like it's a rehash of BID 19256. Or BID 39732, which  
seems to be a dup of the older BID.  For example, do a Google search  
of 'osTicket "module.php" inurl:"view.php'"' and look at the sites  
turned up -- they say they're "Powered by Help Center Live".

Btw, the EDB advisory says the issue's been verified. What exactly  
does that mean? Who's verified the vulnerability and how was it done?

theall at tenablesecurity.com

More information about the VIM mailing list