Advisory for Oneorzero helpdesk

2006.10.25
Credit: Mike Klingler (whitehatguru gmail com)
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-5474
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Permanant Link : http://www.whitedust.net/speaks/3043/ ------------------------------------------------------------ - Advisory for OneOrZero Helpdesk - ------------------------------------------------------------ - OneOrZero Helpdesk - AFFECTED PRODUCTS ================= OneOrZero Helpdesk v1.6.0 - v1.6.4 OVERVIEW ======== From the website: "The OneOrZero Open Source Task Management and Help Desk System is a powerful task management and help desk application, based to 'get the job done'." http://www.oneorzero.com/ An insecure password reset allows external knowledge of what the password is set to. DETAILS ======= 1. Information Disclosure The forgot password function will reset the password after a security question is answered. However, the admin user has this password left blank by default and is often left that way after the program is installed. By attempting to reset the admin password and leaving the answer blank one can force a reset of the password. However, since the password reset function sets the password based only on the username and the time on the server, the password that it is set to can be determine easily. Once the time of a server is discovered determining what the password is set to becomes trivial. POC === 1. ------ The password is generated with the following code: $password = time().$_POST[username]; Quite often web servers will return the date on the servers for when the request is processed. For example "Date: Thu, 12 Oct 2006 01:11:21 GMT" The following command on a linux will return the unix time for the system for when the request was processed. bash$ date --date="Thu, 12 Oct 2006 01:11:21 GMT" "+%s" 1160615001 Which allows us to deduce the return password of 1160615001admin SOLUTION: ========= vendor contact: Info (at) oneorzero (dot) com [email concealed] Sept. 28 Vendor notification. halla (at) oneorzero (dot) com [email concealed] Sept. 29 Vendor reply halla (at) oneorzero (dot) com [email concealed] Oct. 10 oneorzero v1.6.5.4 released to address this issue. Credits ======= This vulnerability was discovered and researched by Michael Klingler whitehatguru at gmail.com SecurityMetrics, Inc.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top