Software Engineering Institute

According to the SiT! website:

"Support Incident Tracker (or SiT!) is a Free Software/Open Source (GPL) web based application which uses PHP and MySQL for tracking technical support calls/emails (also commonly known as a 'Help Desk' or 'Support Ticket System')."
SiT! is susceptible to multiple attacks, including; malicious file uploads, SQL injection, cross-site scripting, and cross-site request forgery.

CWE-434: Unrestricted Upload of File with Dangerous Type
The incident_attachments.php script does not filter the attachment's extension properly. An attacker may upload any file to the web server and have it run with the privileges of the web service. This vulnerability could be used to upload a PHP shell which may be used as a backdoor. The upload file path is structured in the following way: /attachments-{hash}/{incident ID}/{file ID}-{file name}.{extension}. An attacker would need user access to the website, as well as, brute forcing the attachments folder path. An attacker has two options to retrieve the folder path. The attacker could brute force the default attachments folder name because of a weak generation algorithm or the attacker could use the move_uploaded_file.php script to generate an error message that will include the folder path.

The ftp_upload_file.php script is also vulnerable. An attacker may be able to upload any file to the web server and have it run with the privileges of the web service if they can guess the folder path.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The incident_attachments.php script is vulnerable to SQL injection. The attachment file name is not properly sanitized. An attacker may exploit this flaw to execute queries against the database.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The incident_attachments.php script is vulnerable to XSS. An attacker may be able to upload a filename that includes arbitrary script which will be run on the incident attachments web page.

The link_add.php script is vulnerable to XSS. An attacker may be able to inject arbitrary script into the link creation page.

The translate.php script is vulnerable to XSS. An attacker may inject arbitrary script into a saved translation web page which is then execute with the permissions of the web service.

CWE-352: Cross-Site Request Forgery (CSRF)
The reporter states that most of the SiT! scripts are vulnerable to CSRF attacks. For example, an attacker may be able to trick a logged in user to visit the following URL to delete a user account: /user_delete.php?userid=6. It has been reported that all web pages except config.php, edit_user_permissions.php, forgotpwd.php, user_add.php and user_profile_edit.php are vulnerable.

An attacker may be able to inject arbitrary script, execute commands as a logged in user, or upload malicious files to the web server.

We are currently unaware of a practical solution to this problem.