Forums top_register.gif top_calendar.gif top_members.gif top_faq.gif top_search.gif top_home.gif    

vb_bullet.gif Forums > osTicket > Bug and Security Report > 1.3.1 security alert (sql injection & file inclusion)
Search this Thread:

newthread reply Bug and Security Report
prev.gif Previous Thread | Next Thread next.gif 		Linear Hybrid Threaded

1.3.1 security alert (sql injection & file inclusion)  
folder icon   07-01-2005, 10:13 AM
1.3.1 security alert (sql injection & file inclusion) Post #1
GHC
Registered User

Joined: Jul 2005

We've tried to contact authors from "contact" page, bu still no answer received. So, we decided to publish security alert here.

[Summary]
Insufficient filtration of user input data can lead to SQL injection
vulnerability and arbitrary file including.

[Details]

-----------[SQL injection]----------
Vulnerable script: class.ticket.php
Vulnerable code:
--

Code:
--
function CloseTicket($ticket) {
        mysql_query("UPDATE tickets SET status = 'closed' WHERE ID=$ticket");  // - SQL injection
}
-[skip]-
function ReopenTicket($ticket) {
        mysql_query("UPDATE tickets SET status='open' WHERE ID=$ticket");      // - SQL injection
}
-[skip]-
function PostMessage($ticket, $message, $headers='', $notify=true) {
    global $config;
        $headers = $config[save_headers] ? $headers: "";
        $gmtime = (time() - date("Z")) + 3600;
        
        ReopenTicket($ticket);
        mysql_query("INSERT INTO ticket_messages (ticket, message, headers, timestamp) 
        VALUES($ticket, '" . addslashes(striptags($message)) .                 // - SQL injection 
        "', '" . addslashes($headers) . "', FROM_UNIXTIME('$gmtime') + 0)");

    if ($config[alert_new]) {
           email_alert($ticket, mysql_insert_id());
        }
        
        $t = mysql_fetch_array(mysql_query
        ("SELECT email, cat FROM tickets WHERE ID=$ticket"));                  // - SQL injection
--
--

It is possible to inject arbitrary SQL code through POST query.

----------[Arbitrary file including (local)]----------
$inc variable is not defined in files vew.php and open.php in some cases.
If "Register Globals" is "on", an attacker can define this variable to invoke arbitrary local file inclusion.

Vulnerable code:
--
Code:
--
 include(INCLUDE_DIR."/$inc.php"); 
--
--

POC:
http://vulnsite/osticket/view.php?inc=x

Server answer:
[23-Jun-2005 00:57:40] PHP Warning: main():
Failed opening '/home/vulnsite/public_html/_osticket/include/x.php'
for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php')
in /home/vulnsite/public_html/_osticket/view.php on line 98


Belive this will help authors to develope security bug fixes.

GHC staff
www.ghc.ru
www.rst.void.ru

Report Post | IP: Logged
Posts: 1
off.gif profile.gif sendpm.gif find.gif buddy.gif edit.gif reply.gif
Return to Top  

newthread reply Bug and Security Report
prev.gif Previous Thread | Next Thread next.gif 		Linear Hybrid Threaded

printer.gif Show Printable Version
sendtofriend.gif Email this Page
Rate this Thread:

Forum Jump:

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts 		HTML code is Off
vB code is On
Smilies are On
[IMG] code is On

All times are GMT. The time now is 08:28 PM.

Forums > osTicket > Bug and Security Report > 1.3.1 security alert (sql injection & file inclusion)

< Contact Us - Home - Archive >
Return to Top

Powered by: vBulletin Version 3.0.0 Beta 7
Copyright ©2000 - 2007, Jelsoft Enterprises Ltd.