h2desk helpdesk path disclosure vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: h2desk helpdesk path disclosure vulnerability
From: joseph.giron13@xxxxxxxxx
Date: 1 Mar 2008 14:31:00 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Heathco's h2desk helpdesk ticking system provides a ticketing solution for 
small and large organizations alike. Blah blah. 

On to the exploit. h2desk's session handling is custom and doesnt use the 
standard phpsession id handling. As a result, if you add a tic (') or any other 
invalid character to the session ID (stored within a cookie) you get a nice 
path disclosure.

Also, you can access the database dump utility without admin rights. 
helpdesk/index.php?pid=databasedump 
This can be used to dump the users table.

No patch, no fix. Have fun.

Prev by Date: Koobi CMS 4.3.0 - 4.2.3 (categ) Remote SQL Injection Vulnerability
Previous by thread: Koobi CMS 4.3.0 - 4.2.3 (categ) Remote SQL Injection Vulnerability
Next by thread: Re: h2desk helpdesk path disclosure vulnerability
Index(es):
- Date
- Thread