Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17383
HistoryJun 28, 2007 - 12:00 a.m.

[Full-disclosure] eTicket version 1.5.5 XSS Attack Vulnerability

2007-06-2800:00:00
vulners.com
9
JSON

netVigilance Security Advisory #31
eTicket version 1.5.5 XSS Attack Vulnerability
Description:
eTicket is an electronic (open source) support ticket system based on osTicket, that can receive tickets
via email (pop3 or pipe) and a web-based form, as
well as manage them using a web interface.
Successful exploitation requires PHP register_globals set to On.
External References:
Mitre CVE: CVE-2007-2801
NVD NIST: CVE-2007-2801
OSVDB: 34786
Summary:
eTicket is an electronic (open source) support ticket system based on osTicket.
Security problem in the product allows attackers to conduct XSS attacks.
Advisory URL:
http://www.netvigilance.com/advisory0031
Release Date:
06/27/2007

Severity:
Risk: Medium

CVSS Metrics:
Access Vector: Remote
Access Complexity: High
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
Impact Bias: Normal
CVSS Base Score: 5.6

Target Distribution on Internet: Low

Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Confirmed

Vulnerability Impact: Attack
Host Impact: XSS Attack
SecureScout Testcase ID:
TC 17961
Vulnerable Systems:
eTicket version 1.5.5 (new version 1.5.5.1 is also vulnerable)
Vulnerability Type:
XSS (Cross-Site Scripting) to force a web-site to display malicious contents to the target, by sending a
specially crafted request to the web-site. The
vulnerable web-site is not the target of attack but is used as a tool for the hacker in the attack of the
victim.
Vendor:
HM2K
Vendor Status:
HM 2K from eTicket got the Draft advisory on 21 May 2007 and got extensive support in how to fix the
security problems on 23 May 2007 and 28 May 2007.
In HM 2K's own words HM 2K "lost interest" and HM 2K "seriously found it too difficult to orchestrate
what you [netVigilance] were asking from me [HM 2K],
so I just did what I thought was best.". netVigilance's tests show that version 1.5.5.1 is also
vulnerable. There currently is no official fix for this
advisory.
Workaround:
In the php.ini file set register_globals = Off.
Example:
REQUEST:
http://[TARGET]/[PRODUCT FOLDER]/open.php?err=<script>alert(document.cookie)</script>
OR
http://[TARGET]/[PRODUCT FOLDER]/open.php?warn=<script>alert(document.cookie)</script>
REPLY:
Will execute <script>alert(document.cookie)</script>
Credits:
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.c

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Related

packetstorm 1
cve 1
prion 1
securityvulns 1
packetstorm
packetstorm
eticket-xss.txt
2007-06-29 00:00:00
cve
cve
CVE-2007-2801
2007-06-30 01:30:00
prion
prion
Cross site scripting
2007-06-30 01:30:00
securityvulns
securityvulns
Daily web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2007-06-28 00:00:00
JSON
Related for SECURITYVULNS:DOC:17383
packetstorm1cve1prion1securityvulns1