Support Incident Tracker (SiT!) Multiple Input Validation Vulnerabilities
BID:50632
Info
Support Incident Tracker (SiT!) Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 50632 |
| Class: | Input Validation Error |
| CVE: |
CVE-2011-3829 CVE-2011-3830 CVE-2011-3831 CVE-2011-3832 CVE-2011-3833 |
| Remote: | Yes |
| Local: | No |
| Published: | Nov 10 2011 12:00AM |
| Updated: | Nov 15 2011 12:53AM |
| Credit: | Secunia Research |
| Vulnerable: |
Support Incident Tracker SiT! 3.65 |
| Not Vulnerable: | |
Discussion
Support Incident Tracker (SiT!) Multiple Input Validation Vulnerabilities
Support Incident Tracker (SiT!) is prone to the following input-validation vulnerabilities:
1. A cross-site scripting vulnerability
2. An SQL-injection vulnerability
3. A PHP code-injection vulnerability
4. A path-disclosure vulnerability
5. An arbitrary-file-upload vulnerability
Exploiting these issues could allow an attacker to execute arbitrary code, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Access to sensitive data may also be used to launch further attacks against a vulnerable computer.
Support Incident Tracker (SiT!) 3.65 is vulnerable; other versions may also be affected.
Support Incident Tracker (SiT!) is prone to the following input-validation vulnerabilities:
1. A cross-site scripting vulnerability
2. An SQL-injection vulnerability
3. A PHP code-injection vulnerability
4. A path-disclosure vulnerability
5. An arbitrary-file-upload vulnerability
Exploiting these issues could allow an attacker to execute arbitrary code, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Access to sensitive data may also be used to launch further attacks against a vulnerable computer.
Support Incident Tracker (SiT!) 3.65 is vulnerable; other versions may also be affected.
Exploit / POC
Support Incident Tracker (SiT!) Multiple Input Validation Vulnerabilities
An attacker can exploit some of these issues with a browser. To exploit the cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI.
The following exploit is available:
An attacker can exploit some of these issues with a browser. To exploit the cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI.
The following exploit is available:
Solution / Fix
Support Incident Tracker (SiT!) Multiple Input Validation Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
Support Incident Tracker (SiT!) Multiple Input Validation Vulnerabilities
References:
References:
- Support Incident Tracker Homepage (Support Incident Tracker)
- Secunia Research: Support Incident Tracker "eval()" PHP Code Execution Vulnerabi (Secunia Research)
- Secunia Research: Support Incident Tracker "search_string" Cross-Site Scripting (Secunia Research)
- Secunia Research: Support Incident Tracker Arbitrary File Upload Vulnerability (Secunia Research)
- Secunia Research: Support Incident Tracker Attachments Path Disclosure Weakness (Secunia Research)
- Secunia Research: Support Incident Tracker File Name SQL Injection Vulnerability (Secunia Research)