[VIM] PMOS Help Desk/etc. SQL injection - source verify and more info

Steven M. Christey coley at mitre.org
Tue Nov 28 17:27:18 EST 2006


Researchers: SwEET-DeViL & viP HaCkEr & HaCkEr sUn

Ref: BUGTRAQ:20061122 XSS in scriptat support InverseFlow Help Desk v2.31
URL: http://www.securityfocus.com/archive/1/archive/1/452397/100/0/threaded


According to this PMOS Help desk URL:

  http://www.h2desk.com/pmos/

PMOS is an open source release of a previous incarnation, InverseFlow,
and it's also being sold (allegedly illegally) as Ace Helpdesk and
possibly others.

Also, the download of PMOS Help Desk v2.4 has the following code
extracts that verify the SQL injection:


ticket.php
----------

  $res = mysql_query( "SELECT subject, ticket_id FROM {$pre}ticket WHERE ( email = '{$_GET[email]}' ) ORDER BY date DESC" );


ticketview.php
--------------

  $exists = get_row_count( "SELECT COUNT(*) FROM {$pre}ticket WHERE ( ticket_id = '{$_GET[id]}' && email = '{$_GET[email]}' )" );

get_row_count() (defined in include.php) feeds directly into a
mysql_query() call.

FYI, the $_GET values might be set if there's a POST instead.  Earlier
code (ticketview.php only) says:

  if( isset( $_POST[id] ) )
  {
    $_GET[id] = $_POST[id];
    $_GET[email] = $_POST[email];
  }


- Steve


More information about the VIM mailing list