Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

eticket156-xss.txt

🗓️ 28 Jan 2008 00:00:00Reported by Alessandro TanasiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 30 Views

eTicket 'index.php' Cross Site Scripting Path Vulnerability in eTicket 1.5.6-RC

Code
`________________________________________________________________________________  
  
eTicket 'index.php' Cross Site Scripting Path Vulnerability  
________________________________________________________________________________  
  
Name: eTicket 'index.php' Cross Site Scripting Path  
Vulnerability  
Application: eTicket  
Versions Affected: 1.5.6-RC4  
Severity: Medium  
Vendor: eTicket, http://sourceforge.net/projects/eticket  
Bug: XSS Path vulnerability  
Exploitation: Client side, remote  
Author: Alessandro `jekil` Tanasi  
email: [email protected]  
web: http://www.tanasi.it  
Date: 20/01/2008  
Advisory:  
http://www.lonerunners.net/users/jekil/pub/hack-eticket/hack-eticket.txt  
________________________________________________________________________________  
  
Table of contents:  
  
I. Background  
II. Description  
III. Analysis  
IV. Detection  
V. Fix  
VI. Vendor Response  
VII. CVE Information  
VIII. Disclousure timeline  
IX. Credits  
________________________________________________________________________________  
  
I. BACKGROUND  
  
eTicket is a PHP-based electronic (open source) support ticket system  
based on osTicket, that can receive tickets via email (pop3/pipe) or a  
web form. It also offers a ticket manager with many features. An ideal  
helpdesk solution for any website.  
  
  
II. DESCRIPTION  
  
The application eTicket version 1.5.6-RC4 is prone to a Cross Site  
Scripting Path vulnerability.  
  
  
III. ANALYSIS  
  
Attackers may exploit these issue through a web browser.  
To exploit the cross-site scripting issues, an attacker must entice an  
unsuspecting victim into visiting a malicious URI.  
  
  
IV. DETECTION  
  
Proof of concept:  
http://example.com/index.php/"><script>alert('XSS')</script>  
  
  
V. FIX  
  
Properly validate user input.  
  
  
VI. VENDOR RESPONSE  
  
No vendor response at this time.  
  
  
VII. CVE INFORMATION  
  
No CVE at this time.  
  
  
VIII. DISCLOSURE TIMELINE  
  
21012008 Bug discovered  
21012008 Vendor contacted  
  
  
IX. CREDIT  
  
Alessandro `jekil` Tanasi is credited with the discovery of this  
vulnerability.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Jan 2008 00:00Current
7.4High risk
Vulners AI Score7.4
eticketcross site scriptingvulnerability1.5.6-rc4xss pathremotephp-basedvalidationdiscoveryalessandro tanasi
30