PHP_S_Tickets_v1.3 SQL Injection Vulnerabilty
================================================


Discovered by N_A, N_A[at]tutanota.com
=======================================



Description
============

PHP Support Tickets; will allow a webmaster the ability to offer its user base a means to contact its personnel through request vouchers.


https://sourceforge.net/projects/php-sup-tickets




Vulnerability
==============

An SQL Injection vulnerability exists that allows unsanitized commands to be passed into the MYSQL database.

The vulnerability resides inside the index.php and the config.php file:



index.php:
===========

############ AUTH SYSTEM ############
A 
IF (isset($_POST['form']) && isset($_POST['username']) && isset($_POST['password']))
A A A  {
A A A  IF (AuthUser($_REQUEST['username'], $_REQUEST['password']))




unsanitized requests are handled by the function AuthUser which is located inside config.php:


config.php:
===========

Function AuthUser($user, $pass)
A A A  {
A A A  $query = "A A A  SELECT tickets_users_password
A A A  A A A  A A A  FROM tickets_users
A A A  A A A  A A A  WHERE tickets_users_username = '$user'
A A A  A A A  A A A  AND tickets_users_status != '0'";
A 
A A A  $result = @mysql_query($query);



The variable $user is passed to the MYSQL query completely unchecked and unsanitized and it is possible for command injection to take place here.





Email
======

N_A[at]tutanota.com

--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com