Detections
Analytics
osTicket <= 1.2.7 Multiple Vulnerabilities
medium Nessus Plugin ID 18193
Language:
Synopsis
The remote web server contains a PHP application that is prone to multiple vulnerabilities.Description
The version of osTicket installed on the remote host suffers from several vulnerabilities :- A Remote File Include Vulnerability The script 'include/main.php' lets an attacker read arbitrary files on the remote host and possibly even run arbitrary PHP code, subject to the privileges of the web server user.
- Two SQL Injection Vulnerabilities An authenticated attacker can affect SQL queries through the 'id' parameter of the 'admin.php' script as well as the 'cat' parameter of the 'view.php' script.
- Multiple Cross-Site Scripting Vulnerabilities osTicket does not properly sanitize user-supplied input in several scripts, which could facilitate the theft of cookie-based authentication credentials within the context of the affected website.
- A Directory Traversal Vulnerability The 'attachments.php' script may let an authenticated attacker read arbitrary files on the remote, subject to the privileges of the server user. This occurs only if attachment uploads have been specifically enabled by the administrator.
Solution
Upgrade to osTicket version 1.3.1 or later.See Also
http://www.nessus.org/u?da21f0a8
Plugin Details
Severity: Medium
ID: 18193
File Name: osticket_1_2_7.nasl
Version: 1.22
Type: remote
Family: CGI abuses
Published: 5/4/2005
Updated: 4/11/2022
Configuration: Enable thorough checks
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.6
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
Vulnerability Information
CPE: cpe:/a:osticket:osticket
Required KB Items: www/osticket
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Ease: No exploit is required
Vulnerability Publication Date: 5/2/2005
Reference Information
CVE: CVE-2005-1436, CVE-2005-1437, CVE-2005-1438, CVE-2005-1439
BID: 13478