SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   osTicket Vendors:   osTicket.com
osTicket Lets Remote Users Include Local Files and Inject SQL Commands
SecurityTracker Alert ID:  1014373
SecurityTracker URL:  http://securitytracker.com/id/1014373
CVE Reference:   CVE-2005-2153, CVE-2005-2154   (Links to External Site)
Updated:  Jun 24 2008
Original Entry Date:  Jul 4 2005
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.3.1 beta and prior versions
Description:   Two vulnerabilities were reported in osTicket. A remote user can inject SQL commands. A remote user can include local files.

The 'class.ticket.php' script does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value as part of a POST query to execute SQL commands on the underlying database.

The 'view.php' and 'open.php' scripts do not properly define the 'inc' variable. If 'register_globals' is set to 'on' in the 'php.ini' file, a remote user can supply a specially crafted URL to cause the target system to include and execute PHP files located on the target system.

A demonstration exploit URL to include 'x.php' from the local system is provided:

http://[target]/osticket/view.php?inc=x

edisan & foster from RST/GHC discovered this vulnerability.

Impact:   A remote user can execute SQL commands on the underlying database.

A remote user can execute arbitrary include files located on the target system.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.osticket.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [SECURITY ALERT] osTicket bugs


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ ~ RST / GHC -> OSTICKET <- ADVISORY
~ ~ Product: osTicket
~ ~ Version: <= 1.3.1 beta
~ ~ URL: http://www.osticket.com
~ ~ Risk:  medium
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Product Description]
"osTicket is a widely-used open source support ticket system. Plain and simple it is a lightweight feature packed support ticket tool
 written mainly using PHP 
scripting language."

[Summary]
Insufficient filtration of user input data can lead to SQL injection vulnerability and arbitrary file including.

[Details]

-----------[SQL injection]----------
 Vulnerable script: class.ticket.php
 Vulnerable code:
--[code]--
function CloseTicket($ticket) {
        mysql_query("UPDATE tickets SET status = 'closed' WHERE ID=$ticket");  // - SQL injection
}
-[skip]-
function ReopenTicket($ticket) {
        mysql_query("UPDATE tickets SET status='open' WHERE ID=$ticket");      // - SQL injection
}
-[skip]-
function PostMessage($ticket, $message, $headers='', $notify=true) {
    global $config;
        $headers = $config[save_headers] ? $headers: "";
        $gmtime = (time() - date("Z")) + 3600;
        
        ReopenTicket($ticket);
        mysql_query("INSERT INTO ticket_messages (ticket, message, headers, timestamp) 
        VALUES($ticket, '" . addslashes(striptags($message)) .                 // - SQL injection 
        "', '" . addslashes($headers) . "', FROM_UNIXTIME('$gmtime') + 0)");

    if ($config[alert_new]) {
           email_alert($ticket, mysql_insert_id());
        }
        
        $t = mysql_fetch_array(mysql_query
        ("SELECT email, cat FROM tickets WHERE ID=$ticket"));                  // - SQL injection
--[/code]--

It is possible to inject arbitrary SQL code through POST query.
An attacker can use one-char bruteforce technique to get some sensitive information from database.


----------[Arbitrary file including (local)]----------
$inc variable is not defined in files vew.php and open.php in some cases.
If "Register Globals" is "on", an attacker can define this variable to invoke 
arbitrary local file inclusion. 

Vulnerable code:
--[code]--
 include(INCLUDE_DIR."/$inc.php"); 
--[/code]--

POC: 
http://vulnsite/osticket/view.php?inc=x

Server answer:
[23-Jun-2005 00:57:40] PHP Warning:  main(): 
Failed opening '/home/vulnsite/public_html/_osticket/include/x.php' 
for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') 
in /home/vulnsite/public_html/_osticket/view.php on line 98 


+---------------------------------------------+
|       Discovered by edisan & foster         |   
|   http://www.ghc.ru   http://rst.void.ru    |
+---------------------------------------------+

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC