[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] eTicket version 1.5.5 XSS Attack Vulnerability
From:       "SecurityResearch" <securityresearch () netvigilance ! com>
Date:       2007-06-27 21:06:33
Message-ID: 012FDE7DE21D97498794A72AEEF90D7F06A5D6 () beaverton ! portland ! local
[Download RAW message or body]

netVigilance Security Advisory #31
eTicket version 1.5.5 XSS Attack Vulnerability 
Description:
eTicket is an electronic (open source) support ticket system based on osTicket, that \
can receive tickets via email (pop3 or pipe) and a web-based form, as well as manage \
them using a web interface. Successful exploitation requires PHP register_globals set \
to On. External References: 
Mitre CVE:  CVE-2007-2801
NVD NIST: CVE-2007-2801
OSVDB: 34786
Summary: 
eTicket is an electronic (open source) support ticket system based on osTicket.
Security problem in the product allows attackers to conduct XSS attacks.
Advisory URL: 
http://www.netvigilance.com/advisory0031
Release Date:
06/27/2007
 
Severity:
Risk: Medium
 
CVSS Metrics:
Access Vector: Remote
Access Complexity: High
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial 
Impact Bias: Normal
CVSS Base Score: 5.6
 
Target Distribution on Internet: Low
 
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Confirmed
 
Vulnerability Impact: Attack
Host Impact: XSS Attack
SecureScout Testcase ID:
TC 17961
Vulnerable Systems:
eTicket version 1.5.5 (new version 1.5.5.1 is also vulnerable)
Vulnerability Type:
XSS (Cross-Site Scripting) to force a web-site to display malicious contents to the \
target, by sending a specially crafted request to the web-site. The vulnerable \
web-site is not the target of attack but is used as a tool for the hacker in the \
attack of the victim. Vendor:
HM2K
Vendor Status: 
HM 2K from eTicket got the Draft advisory on 21 May 2007 and got extensive support in \
how to fix the security problems on 23 May 2007 and 28 May 2007. In HM 2K's own words \
HM 2K "lost interest" and HM 2K "seriously found it too difficult to orchestrate what \
you [netVigilance] were asking from me [HM 2K], so I just did what I thought was \
best.". netVigilance's tests show that version 1.5.5.1 is also vulnerable. There \
currently is no official fix for this advisory.
Workaround:
In the php.ini file set register_globals = Off. 
Example: 
REQUEST:
http://[TARGET]/[PRODUCT FOLDER]/open.php?err=<script>alert(document.cookie)</script>
OR
http://[TARGET]/[PRODUCT \
FOLDER]/open.php?warn=<script>alert(document.cookie)</script> REPLY:
Will execute <script>alert(document.cookie)</script>
Credits: 
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.c

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic