[VIM] PMOS Help Desk/etc. SQL injection - source verify and more info
Steven M. Christey
coley at mitre.org
Tue Nov 28 17:27:18 EST 2006
Researchers: SwEET-DeViL & viP HaCkEr & HaCkEr sUn
Ref: BUGTRAQ:20061122 XSS in scriptat support InverseFlow Help Desk v2.31
URL: http://www.securityfocus.com/archive/1/archive/1/452397/100/0/threaded
According to this PMOS Help desk URL:
http://www.h2desk.com/pmos/
PMOS is an open source release of a previous incarnation, InverseFlow,
and it's also being sold (allegedly illegally) as Ace Helpdesk and
possibly others.
Also, the download of PMOS Help Desk v2.4 has the following code
extracts that verify the SQL injection:
ticket.php
----------
$res = mysql_query( "SELECT subject, ticket_id FROM {$pre}ticket WHERE ( email = '{$_GET[email]}' ) ORDER BY date DESC" );
ticketview.php
--------------
$exists = get_row_count( "SELECT COUNT(*) FROM {$pre}ticket WHERE ( ticket_id = '{$_GET[id]}' && email = '{$_GET[email]}' )" );
get_row_count() (defined in include.php) feeds directly into a
mysql_query() call.
FYI, the $_GET values might be set if there's a POST instead. Earlier
code (ticketview.php only) says:
if( isset( $_POST[id] ) )
{
$_GET[id] = $_POST[id];
$_GET[email] = $_POST[email];
}
- Steve
More information about the VIM
mailing list