domingo, 18 de diciembre de 2005

Cerberus Helpdesk multiple vulnerabilities.

Title: Cerberus Helpdesk multiple vulnerabilities.
Severity: Medium
Affected: cerberus-gui (2.649), support-center (2.6493.2.0pr2)
Problem type: remote


Description:
-------------------------------------------------------------------------------

Cerberus Helpdesk is a WebGroup Media helpdesk suite based in php enviroment.
Official webpage: http://www.cerberusweb.com/



Details:
-------------------------------------------------------------------------------

support-center:
*******************************

SQL injection in attachment_send.php (line 112):
You can download files from other users or use blind sql injection attacks:
Example url:
.../support-center/cerberus-support-center/attachment_send.php?file_id=N [SQL] &thread_id=1
CODE:
$sql = "SELECT part_content FROM thread_attachments_parts WHERE file_id = $file_id";

XSS:
http://server/support-center/index.php?mod_id=2&kb_ask=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E



cerberus-gui (parser-related):
*******************************

There are few sql injections if XML is malicious generated:

SQL injections in email_parser.php:

Function: "is_queue_address" (line: 1397) doesn.t check properly the "$addy" value.
CODE:
$sql = sprintf("SELECT q.queue_name, q.queue_mode, q.queue_email_display_name, ".
"qa.queue_addresses_id, qa.queue_id, qa.queue_address, ".
"qa.queue_domain, q.queue_prefix, q.queue_response_open, ".
"q.queue_send_open, q.queue_response_gated ".
"FROM queue_addresses qa ".
"LEFT JOIN queue q USING (queue_id) ".
"WHERE LOWER(qa.queue_address) = '%s' ".
"AND LOWER(qa.queue_domain) = '%s'",
strtolower($mailbox),
strtolower($domain)

Function: "is_banned_address" (line: 752) doesn.t check "$address" properly.
CODE:
SELECT a.address_banned FROM address a WHERE a.address_address = '".$address."'";

Function: "is_admin_address" (line 1532) you can bypass this function using, as an email address, the following query: "'OR'u.user_superuser'='1'--".
Example of result of this query:
SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email = '' OR u.user_superuser = '1'
CODE:
SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email = '$address'";


SQL injection in structs.php:
Function: "cer_email_address_struct" (line: 167) doesn.t check the following query.
CODE:
$sql = "SELECT a.address_id,a.address_banned FROM address a WHERE a.address_address = '" . $a_address . "'";


cerberus-gui:
*******************************

SQL injection in cer_KnowledgebaseHandler.class.php:
Function: "_load_article_details" (line 270), you can fetch "superuser" md5 password with blind sql injection.
Example URL:
/cerberus-gui/knowledgebase.php?mode=view_entry&root=2&sid=c7bb6a0d5f83d61d75053c85c14af247&kbid=4 [SQL]
CODE:
$sql = "SELECT k.kb_id, k.kb_entry_date, k.kb_public, k.kb_category_id, k.kb_keywords, kp.kb_problem_summary, kp.kb_problem_text, kp.kb_problem_text_is_html, " .
" ks.kb_solution_text, ks.kb_solution_text_is_html, kc.kb_category_name, u.user_login As entry_user, k.kb_avg_rating, k.kb_rating_votes " .
" FROM knowledgebase k LEFT JOIN knowledgebase_problem kp ON (kp.kb_id=k.kb_id) LEFT JOIN knowledgebase_solution ks on (ks.kb_id=k.kb_id) ".
" LEFT JOIN knowledgebase_categories kc ON (kc.kb_category_id=k.kb_category_id) LEFT JOIN user u ON (k.kb_entry_user=u.user_id) " .
" WHERE k.kb_id = " . $kbid;


SQL injection in "addresses_export.php":
Example URL:
POST: /cerberus-gui/addresses_export.php
sid=c61ce82aa50569705dd774c33644446c&queues%5B%5D=[SQL]&delimiter=comma&file_type=screen&form_submit=x
CODE:
$sql = "SELECT DISTINCT a.address_address FROM ticket t LEFT JOIN thread th ON (t.min_thread_id=th.thread_id)
LEFT JOIN address a ON (th.thread_address_id=a.address_id) WHERE t.ticket_queue_id IN ($queues) ORDER BY a.address_address ASC;";

SQL injection in "display.php". "$thread" is not checked
CODE:
$sql = "SELECT th.thread_address_id, a.address_address FROM thread th LEFT JOIN address a ON (th.thread_address_id = a.address_id) ".
"WHERE th.thread_id = " . $thread;

SQL injection in "display_ticket_thread.php" (line 52).
Example URL:
/cerberus-gui/display_ticket_thread.php?type=comment&sid=a640d024f84be01320aacb0ec6c87d74&ticket=[SQL]
CODE:
$sql = "SELECT t.ticket_id, t.ticket_subject, t.ticket_status, t.ticket_date, t.ticket_assigned_to_id, t.ticket_queue_id, t.ticket_priority, th.thread_address_id, ad.address_address, t.queue_addresses_id, q.queue_name " .
"FROM ticket t, thread th, address ad, queue q " .
"WHERE t.ticket_queue_id IN ($u_qids) AND th.ticket_id = t.ticket_id AND t.ticket_queue_id = q.queue_id AND th.thread_address_id = ad.address_id AND t.ticket_id = " . $ticket . " GROUP BY th.thread_id LIMIT 0,1";


Solution:
-------------------------------------------------------------------------------
Not available, maybe changing every "$cerberus_db->query($sql)" to "$cerberus_db->escape($sql)".


History:
-------------------------------------------------------------------------------
15-20/Nov/2005 --- Bugs discovered
11/Dec/2005 --- The Author has been notified .
19/Dec/2005 --- Full disclosure