Vulnerabilities > CVE-2005-4427 - Input Validation vulnerability in Cerberus Helpdesk 2.649
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple SQL injection vulnerabilities in Cerberus Helpdesk allow remote attackers to execute arbitrary SQL commands via the (1) file_id parameter to attachment_send.php, (2) the $addy variable in email_parser.php, (3) $address variable in email_parser.php, (4) $a_address variable in structs.php, (5) kbid parameter to cer_KnowledgebaseHandler.class.php, (6) queues[] parameter to addresses_export.php, (7) $thread variable to display.php, (8) ticket parameter to display_ticket_thread.php.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Exploit-Db
description Cerberus Helpdesk 2.649 display_ticket_thread.php ticket Parameter SQL Injection. CVE-2005-4427. Webapps exploit for php platform id EDB-ID:26975 last seen 2016-02-03 modified 2005-12-27 published 2005-12-27 reporter A. Ramos source https://www.exploit-db.com/download/26975/ title Cerberus Helpdesk 2.649 display_ticket_thread.php ticket Parameter SQL Injection description Cerberus Helpdesk 2.649 cer_KnowledgebaseHandler.class.php _load_article_details Function SQL Injection. CVE-2005-4427. Webapps exploit for php platform id EDB-ID:26973 last seen 2016-02-03 modified 2005-12-27 published 2005-12-27 reporter A. Ramos source https://www.exploit-db.com/download/26973/ title Cerberus Helpdesk 2.649 cer_KnowledgebaseHandler.class.php _load_article_details Function SQL Injection description Cerberus Helpdesk 2.649 addresses_export.php queues Parameter SQL Injection. CVE-2005-4427. Webapps exploit for php platform id EDB-ID:26974 last seen 2016-02-03 modified 2005-12-27 published 2005-12-27 reporter A. Ramos source https://www.exploit-db.com/download/26974/ title Cerberus Helpdesk 2.649 addresses_export.php queues Parameter SQL Injection
Nessus
NASL family CGI abuses NASL id CERBERUS_SUPPORT_CENTER_MULT_FLAWS.NASL description The remote host is running Cerberus Support Center, a customer support portal written in PHP. The installed version of Cerberus Support Center is affected by a cross-site scripting flaw due to its failure to sanitize input to the last seen 2020-06-01 modified 2020-06-02 plugin id 20347 published 2005-12-29 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20347 title Cerberus Support Center Multiple Remote Vulnerabilities (SQLi, XSS) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20347); script_version("1.26"); script_cve_id("CVE-2005-4427", "CVE-2005-4428"); script_bugtraq_id(16062); script_name(english:"Cerberus Support Center Multiple Remote Vulnerabilities (SQLi, XSS)"); script_summary(english:"Checks for multiple vulnerabilities in Cerberus Support Center"); script_set_attribute(attribute:"synopsis", value: "The remote web server has a PHP application that is affected by SQL injection and cross-site scripting flaws." ); script_set_attribute(attribute:"description", value: "The remote host is running Cerberus Support Center, a customer support portal written in PHP. The installed version of Cerberus Support Center is affected by a cross-site scripting flaw due to its failure to sanitize input to the 'kb_ask' parameter of the 'index.php' script before using it in dynamically-generated web pages. In addition, it reportedly fails to sanitize input to the 'file_id' parameter of the 'attachment_send.php' script before using it in database queries. Exploitation of the SQL injection vulnerability requires that an attacker first authenticate while the cross-site scripting issue may be possible without authentication, depending on the application's configuration." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Dec/972" ); script_set_attribute(attribute:"see_also", value:"http://www.cerberusweb.com/devblog/?p=56" ); script_set_attribute(attribute:"solution", value: "Upgrade to Cerberus Support Center 3.2.0pr2 and edit 'attachment_send.php' as described in the forum post referenced above. Note that this does not, though, fix the cross-site scripting issue." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"plugin_publication_date", value: "2005/12/29"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/12/20"); script_cvs_date("Date: 2018/11/15 20:50:16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("http_version.nasl", "cross_site_scripting.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("url_func.inc"); port = get_http_port(default:80, embedded: 0); if (!can_host_php(port:port)) exit(0); # A simple alert. xss = '<script>alert("' + SCRIPT_NAME + '")</script>'; # Loop through directories. if (thorough_tests) dirs = list_uniq(make_list("/support-center", "/support", cgi_dirs())); else dirs = make_list(cgi_dirs()); # nb: the documentation uses 'support.php' when integrating the product # into Cerberus Help Desk, although the actual name is arbitrary. if (thorough_tests) files = make_list("index.php", "support.php"); else files = make_list("index.php"); foreach dir (dirs) { foreach file (files) { # Try to exploit the XSS flaw. # # nb: we're SOL if authentication is required. r = http_send_recv3(method:"GET", port: port, item:string( dir, "/", file, "?", "mod_id=2&", "kb_ask=", urlencode(str:string("</textarea>", xss)))); if (isnull(r)) exit(0); res = r[2]; # There's a problem if... if ( # the result looks like the results of a KB search and... '<td class="box_content_text">' >< res && # we see our XSS. string("</textarea>", xss) >< res ) { security_hole(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); exit(0); } } }
NASL family CGI abuses NASL id CERBERUS_GUI_271.NASL description The remote host is running Cerberus Helpdesk, a web-based helpdesk suite written in PHP. The installed version of Cerberus Helpdesk is affected by several SQL injection issues and one cross-site scripting flaw because of its failure to sanitize user-supplied input to various parameters and scripts before using it in database queries and in dynamically- generated HTML. Successful exploitation of these issues requires that an attacker first authenticate. last seen 2020-06-01 modified 2020-06-02 plugin id 20348 published 2005-12-29 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20348 title Cerberus Helpdesk GUI Agent < 2.7.1 Multiple Remote Vulnerabilities (SQLi, XSS) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20348); script_version("1.23"); script_cve_id("CVE-2005-4427", "CVE-2005-4428"); script_bugtraq_id(16062); script_name(english:"Cerberus Helpdesk GUI Agent < 2.7.1 Multiple Remote Vulnerabilities (SQLi, XSS)"); script_summary(english:"Checks for multiple vulnerabilities in Cerberus Helpdesk GUI Agent < 2.7.1"); script_set_attribute(attribute:"synopsis", value: "The remote web server has a PHP application that is affected by multiple SQL injection and cross-site scripting flaws." ); script_set_attribute(attribute:"description", value: "The remote host is running Cerberus Helpdesk, a web-based helpdesk suite written in PHP. The installed version of Cerberus Helpdesk is affected by several SQL injection issues and one cross-site scripting flaw because of its failure to sanitize user-supplied input to various parameters and scripts before using it in database queries and in dynamically- generated HTML. Successful exploitation of these issues requires that an attacker first authenticate." ); # script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4b22b720" ); script_set_attribute(attribute:"solution", value: "Upgrade to Cerberus GUI Agent version 2.7.1 when it becomes available." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"plugin_publication_date", value: "2005/12/29"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/12/20"); script_cvs_date("Date: 2018/06/13 18:56:26"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cerberus:cerberus_helpdesk"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("http_version.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80, embedded: 0); if (!can_host_php(port:port)) exit(0); # Loop through directories. if (thorough_tests) dirs = list_uniq(make_list("/cerberus", "/cerberus-gui", "/helpdesk", "/tickets", cgi_dirs())); else dirs = make_list(cgi_dirs()); foreach dir (dirs) { # Get the login page. r = http_send_recv3(method:"GET", item:string(dir, "/login.php"), port:port); if (isnull(r)) exit(0); res = r[2]; # Exploitation requires authentication so the best we can do is a banner check. if (egrep(pattern:'class="cer_footer_text">Cerberus Helpdesk .+ Version ([01]\\..+|2\\.([0-6]\\..*|7\\.0)) Release<br>', string:res)) { security_hole(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); exit(0); } }
References
- http://forum.cerberusweb.com/showthread.php?s=&postid=30315
- http://marc.info/?l=full-disclosure&m=113500878630130&w=2
- http://secunia.com/advisories/18112
- http://www.osvdb.org/21988
- http://www.osvdb.org/21990
- http://www.osvdb.org/21991
- http://www.osvdb.org/21992
- http://www.osvdb.org/21993
- http://www.osvdb.org/21994
- http://www.osvdb.org/21995
- http://www.securityfocus.com/archive/1/420271/100/0/threaded
- http://www.securityfocus.com/bid/16062
- https://exchange.xforce.ibmcloud.com/vulnerabilities/23836