Ask not what osTicket community can do for you - ask what you can do for osTicket community

Go Back   osTicket Forums > Project Tools > osTicket Security Advisory > SVA
Reload this Page osTicket SVA-2009-624
Register Projects FAQ Members List Calendar Search Today's Posts Mark Forums Read

Issue Type SVA   Project osTicket Security Advisory
osTicket SVA-2009-624
Issue Tools
Blind SQL injection
Category Unknown
Affected Version 1.6 rc4
Priority 1 - Highest
Status fixed
Fixed Version 1.6 rc5
Users able to reproduce vulnerability 0
Submitted 06-26-2009
Attachments 0
Users unable to reproduce vulnerability 0
Assigned Users peter Tags mysql

issueid=118 06-26-2009 06:53 AM
Developer
osTicket SVA-2009-624
Blind SQL injection
osTicket prior to v1.6 RC5 fails to properly handle or/and escape staff's usernames. This could potentially allow an attacker to carry out a blind SQL injection. The security risk is moderately critical and for this reason we strongly recommend upgrading to the latest version (osTicket v1.6 RC5) as soon as possible. If you are unable to upgrade immediately, you should patch your current installation until you are able to do a complete upgrade.

Below are instructions on how to temporarily patch osTicket v1.6 RC1-RC4;

* In include/class.staff.php line 41

chage

PHP Code:
$sql=sprintf("SELECT * FROM ".STAFF_TABLE." LEFT JOIN ".GROUP_TABLE." USING(group_id) WHERE %s ",is_numeric($var)?"staff_id=$var":"username='$var'"); 
to

PHP Code:
$sql=sprintf('SELECT * FROM '.STAFF_TABLE.' LEFT JOIN '.GROUP_TABLE.' USING(group_id) WHERE %s=%s ',
                        is_numeric($var)?'staff_id':'username',db_input($var)); 
* In include/class.config.php around line 142 (unrelated bug)

change

PHP Code:
function getDefaultEmailId(){
     return $this->config['default_dept'];
to

PHP Code:
 function getDefaultEmailId(){
     return $this->config['default_email'];
Full upgrade is strongly advised. To contact osTicket developers regarding security related issues or any concerns, please use the form at http://osticket.com/support/contact.php


Credit: Adam Baldwin @ nGenuity - thank you for giving us generous time to release the fix
Reply

06-26-2009 09:51 AM
Issue Changed by peter
  • Status changed from open to fixed
  • User assignments modified
  • Priority changed from 5 - Medium to 1 - Highest
06-29-2009 05:05 PM
Issue Changed by peter
  • summary changed from osTicket SVA-2009-624 to Blind SQL injection
  • Tags modified

Issue Tools
Subscribe to this issue

All times are GMT -4. The time now is 09:22 AM.

Contact Us - osTicket Community Forums - Archive - Top