Related information

PHP, ASP, CGI web applications security vulnerabilities

[Full-disclosure] Advisory 05/2005: Cacti Authentification/Adds lashes Bypass Vulnerability

[Full-disclosure] Advisory 04/2005: Cacti Remote Command Execution Vulnerability

[Full-disclosure] Advisory 03/2005: Cacti Multiple SQL Injection Vulnerabilities [FIXED]

PHPXMLRPC Remote Code Execution

From:	ghc_(at)_ghc.ru <ghc_(at)_ghc.ru>
Date:	02.07.2005
Subject:	[SECURITY ALERT] osTicket bugs

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ ~ RST / GHC -> OSTICKET <- ADVISORY
~ ~ Product: osTicket
~ ~ Version: <= 1.3.1 beta
~ ~ URL: http://www.osticket.com
~ ~ Risk:  medium
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Product Description]
"osTicket is a widely-used open source support ticket system. Plain and simple it is a
lightweight feature packed support ticket tool written mainly using PHP
scripting language."

[Summary]
Insufficient filtration of user input data can lead to SQL injection vulnerability and
arbitrary file including.

[Details]

-----------[SQL injection]----------
Vulnerable script: class.ticket.php
Vulnerable code:
--[code]--
function CloseTicket($ticket) {
       mysql_query("UPDATE tickets SET status = 'closed' WHERE ID=$ticket");  // - SQL
injection
}
-[skip]-
function ReopenTicket($ticket) {
       mysql_query("UPDATE tickets SET status='open' WHERE ID=$ticket");      // - SQL
injection
}
-[skip]-
function PostMessage($ticket, $message, $headers='', $notify=true) {
   global $config;
       $headers = $config[save_headers] ? $headers: "";
       $gmtime = (time() - date("Z")) + 3600;
       
       ReopenTicket($ticket);
       mysql_query("INSERT INTO ticket_messages (ticket, message, headers, timestamp)
       VALUES($ticket, '" . addslashes(striptags($message)) .                 // - SQL
injection
       "', '" . addslashes($headers) . "', FROM_UNIXTIME('$gmtime') + 0)");

   if ($config[alert_new]) {
          email_alert($ticket, mysql_insert_id());
       }
       
       $t = mysql_fetch_array(mysql_query
       ("SELECT email, cat FROM tickets WHERE ID=$ticket"));                  // - SQL
injection
--[/code]--

It is possible to inject arbitrary SQL code through POST query.
An attacker can use one-char bruteforce technique to get some sensitive information from
database.


----------[Arbitrary file including (local)]----------
$inc variable is not defined in files vew.php and open.php in some cases.
If "Register Globals" is "on", an attacker can define this variable to invoke
arbitrary local file inclusion.

Vulnerable code:
--[code]--
include(INCLUDE_DIR."/$inc.php");
--[/code]--

POC:
http://vulnsite/osticket/view.php?inc=x

Server answer:
[23-Jun-2005 00:57:40] PHP Warning:  main():
Failed opening '/home/vulnsite/public_html/_osticket/include/x.php'
for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php')
in /home/vulnsite/public_html/_osticket/view.php on line 98


+---------------------------------------------+
|       Discovered by edisan & foster         |   
|   http://www.ghc.ru   http://rst.void.ru    |
+---------------------------------------------+