OneOrZero Helpdesk tinfo.php Arbitrary File Upload

high Nessus Network Monitor Plugin ID 4801

Synopsis

The remote web server contains a PHP application that is affected by an arbitrary file upload vulnerability.

Description

The remote host is running OneOrZero Helpdesk, a web-based helpdesk application written in PHP. The version of OneOrZero HelpDesk installed on the remote host allows uploads of arbitrary files via the 'tinfo.php' script provided the 'send_email' POST parameter is set. By uploading a file with arbitrary PHP code, an unauthenticated remote attacker can likely leverage this issue to execute code subject to the privileges of the web server user ID. In addition, there is a flaw in the login.php script when handling the 'default_language' parameter. An attacker would be able to view or execute arbitrary local files. Note that successful exploitation of this issue requires that 'Task Attachments' is enabled, which is true by default. Further, note that there is also reportedly a SQL injection issue involving the Content_Type for uploaded files and affecting this version of OneOrZero Helpdesk. If "Task Attachments' have been disabled, you are not vulnerable to this flaw.

Solution

Log into the application's control panel as the administrator and disable 'Task Attachments' (under 'OneOrZero Settings'). When released, upgrade to version 1.6.5.8 or higher.

See Also

http://www.securityfocus.com/bid/32959

Plugin Details

Severity: High

ID: 4801

Family: CGI

Published: 12/23/2008

Updated: 3/6/2019

Nessus ID: 35261

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 7.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:U/RC:X

Vulnerability Information

CPE: cpe:/a:oneorzero:oneorzero_helpdesk

Reference Information

CVE: CVE-2009-0886

BID: 34029, 32959