icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

OneOrZero Helpdesk tinfo.php Arbitrary File Upload

High

Synopsis

The remote web server contains a PHP application that is affected by an arbitrary file upload vulnerability.

Description

The remote host is running OneOrZero Helpdesk, a web-based helpdesk application written in PHP. The version of OneOrZero HelpDesk installed on the remote host allows uploads of arbitrary files via the 'tinfo.php' script provided the 'send_email' POST parameter is set. By uploading a file with arbitrary PHP code, an unauthenticated remote attacker can likely leverage this issue to execute code subject to the privileges of the web server user ID. In addition, there is a flaw in the login.php script when handling the 'default_language' parameter. An attacker would be able to view or execute arbitrary local files. Note that successful exploitation of this issue requires that 'Task Attachments' is enabled, which is true by default. Further, note that there is also reportedly a SQL injection issue involving the Content_Type for uploaded files and affecting this version of OneOrZero Helpdesk. If "Task Attachments' have been disabled, you are not vulnerable to this flaw.

Solution

Log into the application's control panel as the administrator and disable 'Task Attachments' (under 'OneOrZero Settings'). When released, upgrade to version 1.6.5.8 or higher.