oss-sec mailing list archives
CVE Request: PHP Support Ticket 2.2 <= Multiple Vulnerabilities
From: YGN Ethical Hacker Group <lists () yehg net>
Date: Fri, 18 Mar 2011 14:41:16 +0800
Advisory URL: http://yehg.net/lab/pr0js/advisories/php_support_ticket-2.2 Date published: 2009-07-23 Severity: High Vendor: Triangle Solutions Ltd (http://www.triangle-solutions.com/) Script URL: http://www.phpsupporttickets.com/ Demo URL: http://www.phpsupporttickets.com/modules/phpsupporttickets.com/demo/ Overview ========== This version of PHP Support Ticket is bundled together in today's one-click script installer of all/most web hosting providers. Customers have no clue of the vulnerabilities. Hosting providers always say marketing voice - easy deployment, one-click installation - but no security. ########################################################################### #1. Lack Of "install" directory removal check This will allow attackers to overwrite existing config files with junk data, making the PHP Ticket application stop working. In extreme case, advanced attackers will inject valid php codes to do more harm. #2. Hidden Debug paramter (tri_debug) File: /include/config.php Code: // Conditional Error Reporting if (isset($_GET['tri_debug'])) { $set_ini = ini_set('display_errors', 1); error_reporting(E_ALL); This will provide attackers every feedback for his attacking. For small case, this provides internal path disclosure. #3. Addon: PHPMailer Remote Code Execution PHP Support Ticket employed vulnerable version of PHPMailer class. File: /classes/class.phpmailer.php Code: if ($this->Sender != "") $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail, $this->Sender); else $sendmail = sprintf("%s -oi -t", $this->Sendmail); 4. Possible Script Injection A number of scripts use dangerous eval function without enough filtering. File: /classes/GUI/abstract.GUI.php Code: return eval('return PHPST_PAGENAME_' . strtoupper($this->page) . ';'); ########################################################################### --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd
Current thread:
- CVE Request: PHP Support Ticket 2.2 <= Multiple Vulnerabilities YGN Ethical Hacker Group (Mar 18)