________________________________________________________________________ ________ eTicket 'index.php' Cross Site Scripting Path Vulnerability ________________________________________________________________________ ________ Name: eTicket 'index.php' Cross Site Scripting Path Vulnerability Application: eTicket Versions Affected: 1.5.6-RC4 Severity: Medium Vendor: eTicket, http://sourceforge.net/projects/eticket Bug: XSS Path vulnerability Exploitation: Client side, remote Author: Alessandro `jekil` Tanasi email: alessandro (at) tanasi (dot) it [email concealed] web: http://www.tanasi.it Date: 20/01/2008 Advisory: http://www.lonerunners.net/users/jekil/pub/hack-eticket/hack-eticket.txt ________________________________________________________________________ ________ Table of contents: I. Background II. Description III. Analysis IV. Detection V. Fix VI. Vendor Response VII. CVE Information VIII. Disclousure timeline IX. Credits ________________________________________________________________________ ________ I. BACKGROUND eTicket is a PHP-based electronic (open source) support ticket system based on osTicket, that can receive tickets via email (pop3/pipe) or a web form. It also offers a ticket manager with many features. An ideal helpdesk solution for any website. II. DESCRIPTION The application eTicket version 1.5.6-RC4 is prone to a Cross Site Scripting Path vulnerability. III. ANALYSIS Attackers may exploit these issue through a web browser. To exploit the cross-site scripting issues, an attacker must entice an unsuspecting victim into visiting a malicious URI. IV. DETECTION Proof of concept: http://example.com/index.php/"><script>alert('XSS')</script> V. FIX Properly validate user input. VI. VENDOR RESPONSE No vendor response at this time. VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 21012008 Bug discovered 21012008 Vendor contacted IX. CREDIT Alessandro `jekil` Tanasi is credited with the discovery of this vulnerability.