osTicket131.txt

osTicket131.txt: Posted Jul 1, 2005; Authored by Foster, edisan | Site ghc.ru; osTicket versions 1.3.1beta and below suffer from SQL injection and file inclusion flaws.; tags | advisory, sql injection, file inclusion; SHA-256 | 062203da452a48183dabb5fa5083266edff71537df530e644965fbe3d188be59; Download | Favorite | View

osTicket131.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ ~ RST / GHC -> OSTICKET <- ADVISORY
~ ~ Product: osTicket
~ ~ Version: <= 1.3.1 beta
~ ~ URL: http://www.osticket.com
~ ~ Risk:  medium
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Product Description]
"osTicket is a widely-used open source support ticket system. Plain and simple it is a lightweight feature packed support ticket tool written mainly using PHP 
scripting language."

[Summary]
Insufficient filtration of user input data can lead to SQL injection vulnerability and arbitrary file including.

[Details]

-----------[SQL injection]----------
 Vulnerable script: class.ticket.php
 Vulnerable code:
--[code]--
function CloseTicket($ticket) {
        mysql_query("UPDATE tickets SET status = 'closed' WHERE ID=$ticket");  // - SQL injection
}
-[skip]-
function ReopenTicket($ticket) {
        mysql_query("UPDATE tickets SET status='open' WHERE ID=$ticket");      // - SQL injection
}
-[skip]-
function PostMessage($ticket, $message, $headers='', $notify=true) {
    global $config;
        $headers = $config[save_headers] ? $headers: "";
        $gmtime = (time() - date("Z")) + 3600;
        
        ReopenTicket($ticket);
        mysql_query("INSERT INTO ticket_messages (ticket, message, headers, timestamp) 
        VALUES($ticket, '" . addslashes(striptags($message)) .                 // - SQL injection 
        "', '" . addslashes($headers) . "', FROM_UNIXTIME('$gmtime') + 0)");

    if ($config[alert_new]) {
           email_alert($ticket, mysql_insert_id());
        }
        
        $t = mysql_fetch_array(mysql_query
        ("SELECT email, cat FROM tickets WHERE ID=$ticket"));                  // - SQL injection
--[/code]--

It is possible to inject arbitrary SQL code through POST query.
An attacker can use one-char bruteforce technique to get some sensitive information from database.


----------[Arbitrary file including (local)]----------
$inc variable is not defined in files vew.php and open.php in some cases.
If "Register Globals" is "on", an attacker can define this variable to invoke 
arbitrary local file inclusion. 

Vulnerable code:
--[code]--
 include(INCLUDE_DIR."/$inc.php"); 
--[/code]--

POC: 
http://vulnsite/osticket/view.php?inc=x

Server answer:
[23-Jun-2005 00:57:40] PHP Warning:  main(): 
Failed opening '/home/vulnsite/public_html/_osticket/include/x.php' 
for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') 
in /home/vulnsite/public_html/_osticket/view.php on line 98 


+---------------------------------------------+
|       Discovered by edisan & foster         |   
|   http://www.ghc.ru   http://rst.void.ru    |
+---------------------------------------------+

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

osTicket131.txt

osTicket131.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

osTicket131.txt

Share This

osTicket131.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems