PHP Support Tickets 1.3 SQL Injection

2016-10-30T00:00:00
ID PACKETSTORM:139415
Type packetstorm
Reporter N_A
Modified 2016-10-30T00:00:00

Description

                                        
                                            `PHP_S_Tickets_v1.3 SQL Injection Vulnerabilty  
================================================  
  
  
Discovered by N_A, N_A[at]tutanota.com  
=======================================  
  
  
  
Description  
============  
  
PHP Support Tickets; will allow a webmaster the ability to offer its user base a means to contact its personnel through request vouchers.  
  
  
https://sourceforge.net/projects/php-sup-tickets  
  
  
  
  
Vulnerability  
==============  
  
An SQL Injection vulnerability exists that allows unsanitized commands to be passed into the MYSQL database.  
  
The vulnerability resides inside the index.php and the config.php file:  
  
  
  
index.php:  
===========  
  
############ AUTH SYSTEM ############  
A   
IF (isset($_POST['form']) && isset($_POST['username']) && isset($_POST['password']))  
A A A {  
A A A IF (AuthUser($_REQUEST['username'], $_REQUEST['password']))  
  
  
  
  
unsanitized requests are handled by the function AuthUser which is located inside config.php:  
  
  
config.php:  
===========  
  
Function AuthUser($user, $pass)  
A A A {  
A A A $query = "A A A SELECT tickets_users_password  
A A A A A A A A A FROM tickets_users  
A A A A A A A A A WHERE tickets_users_username = '$user'  
A A A A A A A A A AND tickets_users_status != '0'";  
A   
A A A $result = @mysql_query($query);  
  
  
  
The variable $user is passed to the MYSQL query completely unchecked and unsanitized and it is possible for command injection to take place here.  
  
  
  
  
  
Email  
======  
  
N_A[at]tutanota.com  
  
--  
Securely sent with Tutanota. Claim your encrypted mailbox today!  
https://tutanota.com  
`