Executive Summary
Summary | |
---|---|
Title | Support Incident Tracker multiple vulnerabilities |
Informations | |||
---|---|---|---|
Name | VU#576355 | First vendor Publication | 2011-12-02 |
Vendor | VU-CERT | Last vendor Modification | 2011-12-02 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#576355Support Incident Tracker multiple vulnerabilitiesOverviewSupport Incident Tracker (or SiT!) version 3.65, and possibly earlier versions, contain multiple vulnerabilities including; malicious file uploads, SQL injection, cross-site scripting, and cross-site request forgery.I. DescriptionAccording to the SiT! website:"Support Incident Tracker (or SiT!) is a Free Software/Open Source (GPL) web based application which uses PHP and MySQL for tracking technical support calls/emails (also commonly known as a 'Help Desk' or 'Support Ticket System')." CWE-434: Unrestricted Upload of File with Dangerous Type The incident_attachments.php script does not filter the attachment's extension properly. An attacker may upload any file to the web server and have it run with the privileges of the web service. This vulnerability could be used to upload a PHP shell which may be used as a backdoor. The upload file path is structured in the following way: /attachments-{hash}/{incident ID}/{file ID}-{file name}.{extension}. An attacker would need user access to the website, as well as, brute forcing the attachments folder path. An attacker has two options to retrieve the folder path. The attacker could brute force the default attachments folder name because of a weak generation algorithm or the attacker could use the move_uploaded_file.php script to generate an error message that will include the folder path. The ftp_upload_file.php script is also vulnerable. An attacker may be able to upload any file to the web server and have it run with the privileges of the web service if they can guess the folder path. CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') The incident_attachments.php script is vulnerable to SQL injection. The attachment file name is not properly sanitized. An attacker may exploit this flaw to execute queries against the database. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The incident_attachments.php script is vulnerable to XSS. An attacker may be able to upload a filename that includes arbitrary script which will be run on the incident attachments web page. The link_add.php script is vulnerable to XSS. An attacker may be able to inject arbitrary script into the link creation page. The translate.php script is vulnerable to XSS. An attacker may inject arbitrary script into a saved translation web page which is then execute with the permissions of the web service. CWE-352: Cross-Site Request Forgery (CSRF) The reporter states that most of the SiT! scripts are vulnerable to CSRF attacks. For example, an attacker may be able to trick a logged in user to visit the following URL to delete a user account: /user_delete.php?userid=6. It has been reported that all web pages except config.php, edit_user_permissions.php, forgotpwd.php, user_add.php and user_profile_edit.php are vulnerable. II. ImpactAn attacker may be able to inject arbitrary script, execute commands as a logged in user, or upload malicious files to the web server.III. SolutionWe are currently unaware of a practical solution to this problem.
Referenceshttp://sitracker.org/ CreditThanks to the reporter that wishes to remain anonymous. This document was written by Jared Allar. Other Information
|
Original Source
Url : http://www.kb.cert.org/vuls/id/576355 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
25 % | CWE-352 | Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25) |
25 % | CWE-200 | Information Exposure |
25 % | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25) |
25 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
ExploitDB Exploits
id | Description |
---|---|
2011-11-13 | Support Incident Tracker <= 3.65 Remote Command Execution |
OpenVAS Exploits
Date | Description |
---|---|
2011-11-16 | Name : Support Incident Tracker (SiT!) Multiple Input Validation Vulnerabilities File : nvt/gb_sit_50632.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
77003 | Support Incident Tracker ftp_upload_file.php File Upload PHP Code Execution |
77001 | Support Incident Tracker incident_attachments.php Uploaded File Name SQL Inje... Support Incident Tracker contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the incident_attachments.php script not properly sanitizing user-supplied input to uploaded file names. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. |