Usage and diffusion of this document
The security advices of the ESUP-Portail consortium concern softwares distributed by the consortium. It is the responsability of each recipient of this document not to diffuse it to other people for obvious security reasons.
Object |
esup-helpdesk vulnerabiliy |
Reference |
ESUP-2009-AVI-001 |
First version |
2009 January 12th |
Latest version |
2009 January 14th |
Source |
University of Rennes 1 |
Diffusion |
Public |
History |
|
Attached files |
none. |
Risks
Identity theft by stealing session identifiers thanks to XSS attacks.
Affected systems
- esup-helpdesk distributions from 3.0.0 to 3.15.2
Summary
esup-helpdesk uses FCK Editor to enter ticket actions and edit FAQs. The HTML code entered this way is shown to the user as-is in the history of tickets and FAQs.
Description
- From 3.0.0 to 3.15.2, by loading a page that uses FCK Editor and disabling Javascript, it is possible to enter malicious code into the database, for instance by using HTML tags <script> or <iframe>. Afterthat the code is excuted by the users that view the affected ticket or FAQs.
- From 3.14.5 to 3.15.2, consequence of a mistake in the upgrade of FCK Editor (from 1.7.26 to 1.8), it is possible to enter arbitrary code without invalidating Javascript.
Javascript attacks include the steal of session identifiers, thus authorizating identity theft.
Solution
Release 3.16.0:
- removes the malicious tags entered by users before storing data to the database;
- removes the malicious code that could have been entered with previous releases.
Event if it is possible to trace the attacks (all the actions are traced in the application), it is strongly recommended to upgrade to release 3.16.0 or later as soon as possible.
Links
- Download esup-helpdesk: http://helpdesk.esup-portail.org
- ChangeLog