osTicket view.php cat Variable SQL Injection

2005-05-02T10:15:32
ID OSVDB:16277
Type osvdb
Reporter James Bercegay()
Modified 2005-05-02T10:15:32

Description

Vulnerability Description

osTicket contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the 'cat' variable in the view.php script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

Solution Description

Upgrade to version 1.3.1 or higher, as it has been reported to fix this vulnerability. In addition, osTicket.com has released a patch for some older versions.

Short Description

osTicket contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the 'cat' variable in the view.php script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

Manual Testing Notes

http://[victim]/view.php?s=advanced&query=&cat=-99%20UNION%20SELECT %2031337,0,0,0,password%20FROM%20ticket_reps%20WHERE%20ID=5/*&status=& sort=ID&way=ASC&per=5&search_submit=Search

References:

Vendor URL: http://www.osticket.com/ Security Tracker: 1013869 Secunia Advisory ID:15216 Related OSVDB ID: 16275 Related OSVDB ID: 16271 Related OSVDB ID: 16274 Related OSVDB ID: 16276 Related OSVDB ID: 16278 Related OSVDB ID: 16279 Related OSVDB ID: 16270 Related OSVDB ID: 16272 Related OSVDB ID: 16273 Other Advisory URL: http://www.gulftech.org/?node=research&article_id=00071-05022005 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0051.html