OneOrZero Helpdesk tinfo.php Arbitrary File Upload

high Nessus Plugin ID 35261

Synopsis

The remote web server contains a PHP application that is affected by an arbitrary file upload vulnerability.

Description

The remote host is running OneOrZero Helpdesk, a web-based helpdesk application written in PHP.

The version of OneOrZero HelpDesk installed on the remote host allows uploads of arbitrary files via the 'tinfo.php' script provided the 'send_email' POST parameter is set. By uploading a file with, say, arbitrary PHP code, an unauthenticated, remote attacker can likely leverage this issue to execute code subject to the privileges of the web server user id.

Note that successful exploitation of this issue requires that 'Task Attachments' be enabled, which is true by default.

Note that there is also reportedly a SQL injection issue involving the Content_Type for uploaded files and affecting this version of OneOrZero Helpdesk, although Nessus has not checked for it.

Solution

Log in to the application's control panel as the administrator and disable 'Task Attachments' (under 'OneOrZero Settings').

Plugin Details

Severity: High

ID: 35261

File Name: oneorzero_tinfo_arbitrary_upload.nasl

Version: 1.13

Type: remote

Family: CGI abuses

Published: 12/23/2008

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

BID: 32959