Title: Cerberus Helpdesk multiple vulnerabilities.
Severity: Medium
Affected: cerberus-gui (2.649), support-center (2.649<->3.2.0pr2)
Problem type: remote
Author: Alejandro Ramos <aramosf at unsec dot net>
Description:
-------------------------------------------------------------------------------
Cerberus Helpdesk is a WebGroup Media helpdesk suite based in php enviroment.
Official webpage: http://www.cerberusweb.com/
Details:
-------------------------------------------------------------------------------
support-center:
*******************************
SQL injection in attachment_send.php (line 112):
You can download files from other users or use blind sql injection
attacks:
Example url:
.../support-center/cerberus-support-center/attachment_send.php?file_id=N
[SQL] &thread_id=1
CODE:
$sql = "SELECT part_content FROM thread_attachments_parts WHERE file_id
= $file_id";
XSS:
http://server/support-center/index.php?mod_id=2&kb_ask=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E
cerberus-gui (parser-related):
*******************************
There are few sql injections if XML is malicious generated:
SQL injections in email_parser.php:
Function: "is_queue_address" (line: 1397) doesn.t check properly the
"$addy" value.
CODE:
$sql = sprintf("SELECT q.queue_name, q.queue_mode,
q.queue_email_display_name, ".
"qa.queue_addresses_id, qa.queue_id, qa.queue_address, ".
"qa.queue_domain, q.queue_prefix, q.queue_response_open, ".
"q.queue_send_open, q.queue_response_gated ".
"FROM queue_addresses qa ".
"LEFT JOIN queue q USING (queue_id) ".
"WHERE LOWER(qa.queue_address) = '%s' ".
"AND LOWER(qa.queue_domain) = '%s'",
strtolower($mailbox),
strtolower($domain)
Function: "is_banned_address" (line: 752) doesn.t check "$address" properly.
CODE:
SELECT a.address_banned FROM address a WHERE a.address_address =
'".$address."'";
Function: "is_admin_address" (line 1532) you can bypass this function
using, as an email address, the following query: "'OR'u.user_superuser'='1'--".
Example of result of this query:
SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email
= '' OR u.user_superuser = '1'
CODE:
SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email
= '$address'";
SQL injection in structs.php:
Function: "cer_email_address_struct" (line: 167) doesn.t check the
following query.
CODE:
$sql = "SELECT a.address_id,a.address_banned FROM address a WHERE
a.address_address = '" . $a_address . "'";
cerberus-gui:
*******************************
SQL injection in cer_KnowledgebaseHandler.class.php:
Function: "_load_article_details" (line 270), you can fetch "superuser" md5
password with blind sql injection.
Example URL:
/cerberus-gui/knowledgebase.php?mode=view_entry&root=2&sid=c7bb6a0d5f83d61d75053c85c14af247&kbid=4
[SQL]
CODE:
$sql = "SELECT k.kb_id, k.kb_entry_date, k.kb_public,
k.kb_category_id, k.kb_keywords, kp.kb_problem_summary, kp.kb_problem_text,
kp.kb_problem_text_is_html, " .
" ks.kb_solution_text, ks.kb_solution_text_is_html,
kc.kb_category_name, u.user_login As entry_user, k.kb_avg_rating,
k.kb_rating_votes " .
" FROM knowledgebase k LEFT JOIN knowledgebase_problem kp ON
(kp.kb_id=k.kb_id) LEFT JOIN knowledgebase_solution ks on (ks.kb_id=k.kb_id) ".
" LEFT JOIN knowledgebase_categories kc ON
(kc.kb_category_id=k.kb_category_id) LEFT JOIN user u ON
(k.kb_entry_user=u.user_id) " .
" WHERE k.kb_id = " . $kbid;
SQL injection in "addresses_export.php":
Example URL:
POST: /cerberus-gui/addresses_export.php
sid=c61ce82aa50569705dd774c33644446c&queues%5B%5D=[SQL]&delimiter=comma&file_type=screen&form_submit=x
CODE:
$sql = "SELECT DISTINCT a.address_address FROM ticket t LEFT JOIN
thread th ON (t.min_thread_id=th.thread_id)
LEFT JOIN address a ON (th.thread_address_id=a.address_id) WHERE
t.ticket_queue_id IN ($queues) ORDER BY a.address_address ASC;";
SQL injection in "display.php". "$thread" is not checked
CODE:
$sql = "SELECT th.thread_address_id, a.address_address FROM thread th
LEFT JOIN address a ON (th.thread_address_id = a.address_id) ".
"WHERE th.thread_id = " . $thread;
SQL injection in "display_ticket_thread.php" (line 52).
Example URL:
/cerberus-gui/display_ticket_thread.php?type=comment&sid=a640d024f84be01320aacb0ec6c87d74&ticket=[SQL]
CODE:
$sql = "SELECT t.ticket_id, t.ticket_subject, t.ticket_status,
t.ticket_date, t.ticket_assigned_to_id, t.ticket_queue_id, t.ticket_priority,
th.thread_address_id, ad.address_address, t.queue_addresses_id,
q.queue_name " .
"FROM ticket t, thread th, address ad, queue q " .
"WHERE t.ticket_queue_id IN ($u_qids) AND th.ticket_id = t.ticket_id
AND t.ticket_queue_id = q.queue_id AND th.thread_address_id = ad.address_id AND
t.ticket_id = " . $ticket . " GROUP BY th.thread_id LIMIT 0,1";
Solution:
-------------------------------------------------------------------------------
Not available, maybe changing every "$cerberus_db->query($sql)" to
"$cerberus_db->escape($sql)".
History:
-------------------------------------------------------------------------------
15-20/Nov/2005 --- Bugs discovered
11/Dec/2005 --- The Author has been notified .
19/Dec/2005 --- Full disclosure
--
A. Ramos <aka dab>
mailto: <aramosf@unsec.net>
http://www.unsec.net
