lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 21 Jul 2015 09:41:21 +0200
From: Simon Rawet <>
Subject: [FD] Joomla! plugin Helpdesk Pro < 1.4.0

Document Title
Joomla! plugin Helpdesk Pro < 1.4.0

Reported By
Simon Rawet from Outpost24
Kristian Varnai from Outpost24
Gregor Mynarsky from Outpost24

For full details, see;

Tested on
All exploits were tested and verified by Outpost24 for HelpDesk Pro
version 1.3.0. While no official testing has been done on earlier
versions, all versions prior to 1.4.0, where the issues were finally
patched, are suspected of being vulnerable.

Release Date

CVE-2015-4071 CVSS: 4.0 Direct Object References
CVE-2015-4072 CVSS: 6.5 Multiple XSS
CVE-2015-4073 CVSS: 7.8 SQL Injection
CVE-2015-4074 CVSS: 7.8 Local file disclosure/Path traversal
CVE-2015-4075 CVSS: 6.8 File Upload

Vulnerability Disclosure Timeline:
2015-05-23: Vulnerabilities discovered and reported to mitre
2015-05-25: Vendor contacted
2015-06-21: Vendor released update version: 1.4.0
2015-07-16: Public disclosure


Direct object references CVE-2015-4071.
Path: http://{target}/component/helpdeskpro/?view=ticket&id={ticketId}

It's possible to read other users' support tickets by changing the
numeric id.

XSS CVE-2015-4072.
Mostly authenticated dependent on site configuration
Output validation is universally overlooked
Example: Name and message

SQLi CVE-2015-4073 for both SQLi.

There are 3 SQLi:

Vulnerable parameter: filter_order
Path: http://{url}/index.php?option=com_helpdeskpro&view=tickets
Post data:

Vulnerable parameter: ticket_code

Vulnerable parameter: email
Path: http://{url}/index.php?option=com_helpdeskpro&
Post data: name=asdf&"%20and%20sleep(5)%20and%20"3"="3

Local file disclosure/Path traversal CVE-2015-4074.

File Upload CVE-2015-4075.
Path: http://{url}/index.php?option=com_helpdeskpro&
Injected parameter: item, keys, attacker specified
Post data:
Description: Allows for .ini files to be created wherever the web server
has write access. If the .ini file already exists and is writable, it
will be overwritten by the server. In a poorly configured system, this
will allow for code execution by including applicable arguments in .ini
files. This however is not applicable to most systems. Any non-protected
.ini files will be possible to replace, with impact depending per file.
This PoC will overwrite the file /etc/php5/apache2/php.ini with the content:

Best Regards,
Simon Rawet
Web Application Analyst, Outpost24 AB
Skeppsbrokajen 8 | 371 33 Karlskrona | Sweden
T: +46 708 474 323
---Outpost24 - Vulnerability Management Made Easy!---

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists