cerberusHelp.txt

`Title: Cerberus Helpdesk multiple vulnerabilities.  
Severity: Medium  
Affected: cerberus-gui (2.649), support-center (2.649<->3.2.0pr2)  
Problem type: remote  
Author: Alejandro Ramos  
  
Description:  
-------------------------------------------------------------------------------  
  
Cerberus Helpdesk is a WebGroup Media helpdesk suite based in php enviroment.  
Official webpage: http://www.cerberusweb.com/  
  
  
  
Details:  
-------------------------------------------------------------------------------  
  
support-center:  
*******************************  
a  
SQL injection in attachment_send.php (line 112):  
You can download files from other users or use blind sql injection attacks:  
Example url:  
.../support-center/cerberus-support-center/attachment_send.php?file_id=N [SQL] &thread_id=1  
CODE:  
$sql = "SELECT part_content FROM thread_attachments_parts WHERE file_id = $file_id";  
  
XSS:  
http://server/support-center/index.php?mod_id=2&kb_ask=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E  
  
  
  
cerberus-gui (parser-related):  
*******************************  
  
There are few sql injections if XML is malicious generated:  
  
SQL injections in email_parser.php:  
  
Function: "is_queue_address" (line: 1397) doesn´t check properly the "$addy" value.   
CODE:  
$sql = sprintf("SELECT q.queue_name, q.queue_mode, q.queue_email_display_name, ".  
"qa.queue_addresses_id, qa.queue_id, qa.queue_address, ".  
"qa.queue_domain, q.queue_prefix, q.queue_response_open, ".  
"q.queue_send_open, q.queue_response_gated ".  
"FROM queue_addresses qa ".  
"LEFT JOIN queue q USING (queue_id) ".  
"WHERE LOWER(qa.queue_address) = '%s' ".  
"AND LOWER(qa.queue_domain) = '%s'",  
strtolower($mailbox),  
strtolower($domain)  
  
Function: "is_banned_address" (line: 752) doesn´t check "$address" properly.  
CODE:  
SELECT a.address_banned FROM address a WHERE a.address_address = '".$address."'";  
  
Function: "is_admin_address" (line 1532) you can bypass this function using, as an email address, the following query: "'OR'u.user_superuser'='1'--".  
Example of result of this query:  
SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email = '' OR u.user_superuser = '1'  
CODE:  
SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email = '$address'";  
  
  
SQL injection in structs.php:  
Function: "cer_email_address_struct" (line: 167) doesn´t check the following query.  
CODE:  
$sql = "SELECT a.address_id,a.address_banned FROM address a WHERE a.address_address = '" . $a_address . "'";  
  
  
cerberus-gui:  
*******************************  
  
SQL injection in cer_KnowledgebaseHandler.class.php:  
Function: "_load_article_details" (line 270), you can fetch "superuser" md5 password with blind sql injection.  
Example URL:  
/cerberus-gui/knowledgebase.php?mode=view_entry&root=2&sid=c7bb6a0d5f83d61d75053c85c14af247&kbid=4 [SQL]  
CODE:  
$sql = "SELECT k.kb_id, k.kb_entry_date, k.kb_public, k.kb_category_id, k.kb_keywords, kp.kb_problem_summary, kp.kb_problem_text, kp.kb_problem_text_is_html, " .  
" ks.kb_solution_text, ks.kb_solution_text_is_html, kc.kb_category_name, u.user_login As entry_user, k.kb_avg_rating, k.kb_rating_votes " .  
" FROM knowledgebase k LEFT JOIN knowledgebase_problem kp ON (kp.kb_id=k.kb_id) LEFT JOIN knowledgebase_solution ks on (ks.kb_id=k.kb_id) ".  
" LEFT JOIN knowledgebase_categories kc ON (kc.kb_category_id=k.kb_category_id) LEFT JOIN user u ON (k.kb_entry_user=u.user_id) " .  
" WHERE k.kb_id = " . $kbid;  
  
  
SQL injection in "addresses_export.php":  
Example URL:  
POST: /cerberus-gui/addresses_export.php  
sid=c61ce82aa50569705dd774c33644446c&queues%5B%5D=[SQL]&delimiter=comma&file_type=screen&form_submit=x  
CODE:  
$sql = "SELECT DISTINCT a.address_address FROM ticket t LEFT JOIN thread th ON (t.min_thread_id=th.thread_id)  
LEFT JOIN address a ON (th.thread_address_id=a.address_id) WHERE t.ticket_queue_id IN ($queues) ORDER BY a.address_address ASC;";  
  
SQL injection in "display.php". "$thread" is not checked  
CODE:  
$sql = "SELECT th.thread_address_id, a.address_address FROM thread th LEFT JOIN address a ON (th.thread_address_id = a.address_id) ".  
"WHERE th.thread_id = " . $thread;  
  
SQL injection in "display_ticket_thread.php" (line 52).  
Example URL:  
/cerberus-gui/display_ticket_thread.php?type=comment&sid=a640d024f84be01320aacb0ec6c87d74&ticket=[SQL]   
CODE:  
$sql = "SELECT t.ticket_id, t.ticket_subject, t.ticket_status, t.ticket_date, t.ticket_assigned_to_id, t.ticket_queue_id, t.ticket_priority, th.thread_address_id, ad.address_address, t.queue_addresses_id, q.queue_name " .  
"FROM ticket t, thread th, address ad, queue q " .  
"WHERE t.ticket_queue_id IN ($u_qids) AND th.ticket_id = t.ticket_id AND t.ticket_queue_id = q.queue_id AND th.thread_address_id = ad.address_id AND t.ticket_id = " . $ticket . " GROUP BY th.thread_id LIMIT 0,1";  
  
  
Solution:  
-------------------------------------------------------------------------------  
Not available, maybe changing every "$cerberus_db->query($sql)" to "$cerberus_db->escape($sql)".  
  
  
History:  
-------------------------------------------------------------------------------  
15-20/Nov/2005 --- Bugs discovered  
11/Dec/2005 --- The Author has been notified .  
19/Dec/2005 --- Full Disclosure  
  
  
  
--  
A. Ramos  
mailto: <[email protected]>  
http://www.unsec.net   
`