Info

Disclosure

Sep 19, 2005

Discovery

Sep 13, 2005

Dates

Exploit

Sep 20, 2005

Solution

Unknown

Description

Hesk Helpdesk contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an invalid PHPSESSID is sent to admin.php, and then the session ID is used to access administrative functions. This flaw may lead to a loss of Confidentiality, Integrity and/or Availability.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Available
OSVDB: Web Related

Solution

Upgrade to version 0.93.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Hesk

HelpDesk

0.93

References

Security Tracker: 1014942
Bugtraq ID: 14879
Secunia Advisory ID: 16859
Related OSVDB ID: 19573
CVE ID: 2005-3005 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-09/0243.html
Vendor URL: http://www.phpjunkyard.com/free-helpdesk-software.php

Credit

Rajesh Sethumadhavan, Rahul Mohandas, and Jayesh K.S - os2a.btogmail.com - OS2A

Direct URL: http://osvdb.org/36218