phphelpdesk Multiple vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: phphelpdesk Multiple vulnerabilities
From: Joseph.giron13@xxxxxxxxx
Date: 2 Nov 2007 22:53:35 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

phphelpdesk version 0.6.16 (latest)

http://phphelpdesk.sourceforge.net

phphelpdesk Multiple vulnerabilities

PhpHelpDesk is a popular solution for people looking for a way to manage their 
helpdesk tickets.
Presently there exists 2 vulnerabilites that affect the inegrity of systems who 
run the software.
The first of which is a local file inclusuion vulnerability. Problem exists in 
the GET'd variable
whatdodo. Its supposed to point to a series of pages, but the filter fails to 
catch users going
outside the lines with a little trailing null bye. Here is an example:

http://helpdesk.example/index.php?whattodo=../../../../../../../../etc/passwd%00

Reading files seems bad, but not that bad. The second vulnerability in question 
is the SQL
Injection at the login page. Yes, the classic ' or 1=1/* injection still holds 
true in the
login procedures of this app. 

I've emailed the project dev on sourceforge and am awaiting a response. 

Happy hacking.

Prev by Date: DoS Exploit for DHCPd bug (Bugtraq ID 25984 ; CVE-2007-5365)
Next by Date: [ MDKSA-2007:206 ] - Updated pwlib packages fix vulnerability
Previous by thread: DoS Exploit for DHCPd bug (Bugtraq ID 25984 ; CVE-2007-5365)
Next by thread: [ MDKSA-2007:206 ] - Updated pwlib packages fix vulnerability
Index(es):
- Date
- Thread