CVE-2010-0605
high
CVSS v3
β
CVSS v4 NEW
β
VIR risk
8.5
Description
SQL injection vulnerability in scp/ajax.php in osTicket before 1.6.0 Stable allows remote authenticated users, with "Staff" permissions, to execute arbitrary SQL commands via the input parameter.
Predictions
Exploit likelihood
20%
Patch ETA
β
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or β if you've already worked around this in production β publish your fix to the community-verified tier.
β Propose a mitigation on Community β Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
osTicket 1.6 RC5 - Multiple Vulnerabilities
Advisory Name: SQL injection in osTicket
Vulnerability Class: SQL injection
Release Date: 2010-02-09
Affected Applications: Confirmed in osTicket 1.6 RC5. Other versions may also be affected.
Affected Platforms: Multiple
Local / Remote: Remote
Severity: High β CVSS: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Researcher: Nahuel GrisolΓa
Vendor Status: Acknowledged/Fixed. New release available: osTicket 1.6 Stable or check
http://osticket.com/forums/project.php?issueid=176
Vulnerability Description:
A Vulnerability has been discovered in osTicket, which can be exploited by malicious people to
conduct SQL injection attacks.
Input passed via the "input" parameter to ajax.php is not properly sanitized before being used in a SQL
query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The vulnerability is confirmed in version 1.6 RC5. Other versions may also be affected.
Proof of Concept:
http://x.x.x.x/upload/scp/ajax.php?api=tickets&f=searchbyemail&input=nah%27%20%20union%20sel
ect%20username,passwd%20from%20ost_staff--%20and%20%27%%27%20LIKE%20%27
http://x.x.x.x/upload/scp/ajax.php?api=tickets&f=searchbyemail&input=nah%27%20%20union%20sel
ect%20%27%3C?php%20phpinfo%28%29;%20?%3E%27,%27%27%20into%20outfile%20%27/var/
www/upload/images/info.php%27--%20and%20%27%%27%20LIKE%20%27
Impact: Execute arbitrary SQL queries.
Solution: Upgrade to osTicket 1.6 Stable or check http://osticket.com/forums/project.php?issueid=176
Vendor Response:
January 9, 2010 β First Contact
January 10, 2010 / February 4, 2010 β Updates on resolution
February 9, 2010 β Latest version and patch available
February 9, 2010 β Public Disclosure of the Vulnerability
Contact Information:
For more information regarding the vulnerability feel free to contact the researcher at
nahuel.grisolia <at> gmail <dot> com
Reflective XSS:
Advisory Name: Reflected Cross-Site Scripting (XSS) in osTicket
Vulnerability Class: Reflected Cross-Site Scripting (XSS)
Release Date: 2010-02-09
Affected Applications: Confirmed in osTicket 1.6 RC5. Other versions may also be affected
Affected Platforms: Multiple
Local / Remote: Remote
Severity: Medium β CVSS: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Researcher: Nahuel GrisolΓa
Vendor Status: Acknowledged/Fixed. New release available: osTicket 1.6 Stable or check
http://osticket.com/forums/project.php?issueid=176
Vulnerability Description:
A reflected Cross Site Scripting vulnerability was found in osTicket 1.6 RC5, because the application
fails to sanitize user-supplied input. Any logged-in user can trigger the vulnerability.
Proof of Concept:
http://x.x.x.x/upload/scp/ajax.php?api=1%3Cscript%3Ealert%28%22xss%22%29;%3C/script%3E&f=
cannedResp
http://x.x.x.x/upload/scp/ajax.php?api=kbase&f=%3Cscript%3Ealert%28%22xss%22%29;%3C/script
%3E
Impact:
An affected user may unintentionally execute scripts or actions written by an attacker. In addition, an
attacker may obtain authorization cookies that would allow him to gain unauthorized access to the
application.
Solution: Upgrade to osTicket 1.6 Stable or check http://osticket.com/forums/project.php?issueid=176
Vendor Response:
January 9, 2010 β First Contact
January 10, 2010 / February 4, 2010 β Updates on resolution
February 9, 2010 β Latest version and patch available
February 9, 2010 β Public Disclosure of the Vulnerability
Contact Information:
For more information regarding the vulnerability feel free to contact the researcher at
nahuel.grisolia <at> gmail <dot> comReferences
- http://osticket.com/forums/project.php?issueid=176
- http://packetstormsecurity.org/1002-exploits/osTicket-1.6-RC5-SQLi.pdf
- http://secunia.com/advisories/38515
- http://www.exploit-db.com/exploits/11380
- http://www.securityfocus.com/bid/38166
- http://osticket.com/forums/project.php?issueid=176
- http://packetstormsecurity.org/1002-exploits/osTicket-1.6-RC5-SQLi.pdf
- http://secunia.com/advisories/38515
- http://www.exploit-db.com/exploits/11380
- http://www.securityfocus.com/bid/38166
CWEs
CWE-89
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.