Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19319
HistoryMar 02, 2008 - 12:00 a.m.

h2desk helpdesk path disclosure vulnerability

2008-03-0200:00:00
vulners.com
34

Heathco's h2desk helpdesk ticking system provides a ticketing solution for small and large
organizations alike. Blah blah.

On to the exploit. h2desk's session handling is custom and doesnt use the standard phpsession id
handling. As a result, if you add a tic (') or any other invalid character to the session ID (stored
within a cookie) you get a nice path disclosure.

Also, you can access the database dump utility without admin rights.
helpdesk/index.php?pid=databasedump
This can be used to dump the users table.

No patch, no fix. Have fun.