|
Cerberus Helpdesk multiple vulnerabilities |
|
|
|
|
Friday, 30 December 2005 |
Description:
-------------------------------------------------------------------------------
Cerberus Helpdesk is a WebGroup Media helpdesk suite based in php
enviroment.
Official webpage: http://www.cerberusweb.com/
Details:
-------------------------------------------------------------------------------
support-center:
*******************************
SQL injection in attachment_send.php (line 112):
You can download files from other users or use blind sql
injection attacks:
Example url:
.../support-center/cerberus-support-center/attachment_send.php?file_id=N [SQL] &thread_id=1
CODE:
$sql = "SELECT part_content FROM thread_attachments_parts WHERE
file_id = $file_id";
XSS:
http://server/support-center/index.php?mod_id=2&kb_ask=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E
cerberus-gui (parser-related):
*******************************
There are few sql injections if XML is malicious generated:
SQL injections in email_parser.php:
Function: "is_queue_address" (line: 1397) doesn.t check properly
the "$addy" value.
CODE:
$sql = sprintf("SELECT q.queue_name, q.queue_mode,
q.queue_email_display_name, ".
"qa.queue_addresses_id, qa.queue_id, qa.queue_address, ".
"qa.queue_domain, q.queue_prefix, q.queue_response_open, ".
"q.queue_send_open, q.queue_response_gated ".
"FROM queue_addresses qa ".
"LEFT JOIN queue q USING (queue_id) ".
"WHERE LOWER(qa.queue_address) = %s ".
"AND LOWER(qa.queue_domain) = %s",
strtolower($mailbox),
strtolower($domain)
Function: "is_banned_address" (line: 752) doesn.t check "$address"
properly.
CODE:
SELECT a.address_banned FROM address a WHERE a.address_address
= ".$address."";
Function: "is_admin_address" (line 1532) you can bypass this
function using, as an email address, the following query:
"ORu.user_superuser=1--".
Example of result of this query:
SELECT u.user_id FROM user u WHERE u.user_email != AND
u.user_email = OR u.user_superuser = 1
CODE:
SELECT u.user_id FROM user u WHERE u.user_email != AND
u.user_email = $address";
SQL injection in structs.php:
Function: "cer_email_address_struct" (line: 167) doesn.t check the
following query.
CODE:
$sql = "SELECT a.address_id,a.address_banned FROM address a
WHERE a.address_address = " . $a_address . "";
cerberus-gui:
*******************************
SQL injection in cer_KnowledgebaseHandler.class.php:
Function: "_load_article_details" (line 270), you can fetch
"superuser" md5 password with blind sql injection.
Example URL:
/cerberus-gui/knowledgebase.php?mode=view_entry&root=2&sid=c7bb6a0d5f83d61d75053c85c14af247&kbid=4 [SQL]
CODE:
$sql = "SELECT k.kb_id, k.kb_entry_date, k.kb_public,
k.kb_category_id, k.kb_keywords, kp.kb_problem_summary, kp.kb_problem_text,
kp.kb_problem_text_is_html, " .
" ks.kb_solution_text, ks.kb_solution_text_is_html,
kc.kb_category_name, u.user_login As entry_user, k.kb_avg_rating,
k.kb_rating_votes " .
" FROM knowledgebase k LEFT JOIN knowledgebase_problem kp ON
(kp.kb_id=k.kb_id) LEFT JOIN knowledgebase_solution ks on
(ks.kb_id=k.kb_id) ".
" LEFT JOIN knowledgebase_categories kc ON
(kc.kb_category_id=k.kb_category_id) LEFT JOIN user u ON (k.kb_entry_user=u.user_id) " .
" WHERE k.kb_id = " . $kbid;
SQL injection in "addresses_export.php":
Example URL:
POST: /cerberus-gui/addresses_export.php
sid=c61ce82aa50569705dd774c33644446c&queues%5B%5D=[SQL]&delimiter=comma&file_type=screen&form_submit=x
CODE:
$sql = "SELECT DISTINCT a.address_address FROM ticket t LEFT
JOIN thread th ON (t.min_thread_id=th.thread_id)
LEFT JOIN address a ON (th.thread_address_id=a.address_id)
WHERE t.ticket_queue_id IN ($queues) ORDER BY a.address_address ASC;";
SQL injection in "display.php". "$thread" is not checked
CODE:
$sql = "SELECT th.thread_address_id, a.address_address FROM
thread th LEFT JOIN address a ON (th.thread_address_id = a.address_id)
".
"WHERE th.thread_id = " . $thread;
SQL injection in "display_ticket_thread.php" (line 52).
Example URL:
/cerberus-gui/display_ticket_thread.php?type=comment&sid=a640d024f84be01320aacb0ec6c87d74&ticket=[SQL]
CODE:
$sql = "SELECT t.ticket_id, t.ticket_subject,
t.ticket_status, t.ticket_date, t.ticket_assigned_to_id, t.ticket_queue_id,
t.ticket_priority, th.thread_address_id, ad.address_address,
t.queue_addresses_id, q.queue_name " .
"FROM ticket t, thread th, address ad, queue q " .
"WHERE t.ticket_queue_id IN ($u_qids) AND th.ticket_id =
t.ticket_id AND t.ticket_queue_id = q.queue_id AND th.thread_address_id =
ad.address_id AND t.ticket_id = " . $ticket . " GROUP BY th.thread_id
LIMIT 0,1";
Solution:
-------------------------------------------------------------------------------
Not available, maybe changing every "$cerberus_db->query($sql)" to
"$cerberus_db->escape($sql)".
History:
-------------------------------------------------------------------------------
15-20/Nov/2005 --- Bugs discovered
11/Dec/2005 --- The Author has been notified .
19/Dec/2005 --- Full disclosure
|
|
|