search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Support Incident Tracker multiple vulnerabilities

Vulnerability Note VU#576355

Original Release Date: 2011-12-02 | Last Revised: 2011-12-02

Overview

Support Incident Tracker (or SiT!) version 3.65, and possibly earlier versions, contain multiple vulnerabilities including; malicious file uploads, SQL injection, cross-site scripting, and cross-site request forgery.

Description

According to the SiT! website:

"Support Incident Tracker (or SiT!) is a Free Software/Open Source (GPL) web based application which uses PHP and MySQL for tracking technical support calls/emails (also commonly known as a 'Help Desk' or 'Support Ticket System')."
SiT! is susceptible to multiple attacks, including; malicious file uploads, SQL injection, cross-site scripting, and cross-site request forgery.

CWE-434: Unrestricted Upload of File with Dangerous Type
The incident_attachments.php script does not filter the attachment's extension properly. An attacker may upload any file to the web server and have it run with the privileges of the web service. This vulnerability could be used to upload a PHP shell which may be used as a backdoor. The upload file path is structured in the following way: /attachments-{hash}/{incident ID}/{file ID}-{file name}.{extension}. An attacker would need user access to the website, as well as, brute forcing the attachments folder path. An attacker has two options to retrieve the folder path. The attacker could brute force the default attachments folder name because of a weak generation algorithm or the attacker could use the move_uploaded_file.php script to generate an error message that will include the folder path.

The ftp_upload_file.php script is also vulnerable. An attacker may be able to upload any file to the web server and have it run with the privileges of the web service if they can guess the folder path.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The incident_attachments.php script is vulnerable to SQL injection. The attachment file name is not properly sanitized. An attacker may exploit this flaw to execute queries against the database.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The incident_attachments.php script is vulnerable to XSS. An attacker may be able to upload a filename that includes arbitrary script which will be run on the incident attachments web page.

The link_add.php script is vulnerable to XSS. An attacker may be able to inject arbitrary script into the link creation page.

The translate.php script is vulnerable to XSS. An attacker may inject arbitrary script into a saved translation web page which is then execute with the permissions of the web service.

CWE-352: Cross-Site Request Forgery (CSRF)
The reporter states that most of the SiT! scripts are vulnerable to CSRF attacks. For example, an attacker may be able to trick a logged in user to visit the following URL to delete a user account: /user_delete.php?userid=6. It has been reported that all web pages except config.php, edit_user_permissions.php, forgotpwd.php, user_add.php and user_profile_edit.php are vulnerable.

Impact

An attacker may be able to inject arbitrary script, execute commands as a logged in user, or upload malicious files to the web server.

Solution

We are currently unaware of a practical solution to this problem.

Vendor Information

576355
 
Affected   Unknown   Unaffected

Support incident Tracker SiT

Notified:  October 13, 2011 Updated:  December 01, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to the reporter that wishes to remain anonymous.

This document was written by Jared Allar.

Other Information

CVE IDs: None
Severity Metric: 1.94
Date Public: 2011-12-02
Date First Published: 2011-12-02
Date Last Updated: 2011-12-02 20:19 UTC
Document Revision: 23

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.