Support Incident Tracker (or SiT!) version 3.65, and possibly earlier versions, contain multiple vulnerabilities including; malicious file uploads, SQL injection, cross-site scripting, and cross-site request forgery.
According to the SiT! website:
"Support Incident Tracker (or SiT!) is a Free Software/Open Source (GPL) web based application which uses PHP and MySQL for tracking technical support calls/emails (also commonly known as a 'Help Desk' or 'Support Ticket System')."
An attacker may be able to inject arbitrary script, execute commands as a logged in user, or upload malicious files to the web server.
We are currently unaware of a practical solution to this problem.
Thanks to the reporter that wishes to remain anonymous.
This document was written by Jared Allar.
|Date First Published:||2011-12-02|
|Date Last Updated:||2011-12-02 20:19 UTC|