nGenuity Information Services – Security Advisory

   Advisory ID: NGENUITY-2009-007 osTicket Admin Login Blind SQL Injection
   Application: osTicket v1.6 RC4
        Vendor: osTicket
Vendor website: http://www.osticket.com
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)

  I. BACKGROUND
    "osTicket is a widely-used open source support ticket system. It seamlessly
    integrates inquiries created via email and web-based forms into a simple
    easy to use multi-user web interface. Easily manage, organize and archive
    all your support requests and responses in one place while providing your
    clients with accountability and responsiveness they deserve." [1]

  II. DETAILS
    osTicket prior to v1.6 RC5 fails to validate / escape staff usernames which
    can be abused to execute a blind sql injection attack by an unauthenticated
    attacker.

    The vendor has provided a new release v1.6 RC5 which addresses this vulnerability.
    They have also provided patching instructions [2] should you be unable to perform
    a full upgrade at this time.

    One sample attack string might look similar to the following:
    '+(SELECT IF(SUBSTRING(passwd,1,1)=CHAR(48),BENCHMARK(1000000,SHA1(1)),0) passwd
    FROM ost_staff where staff_id=1) and '1'='1

  III. REFERENCES
    [1] - http://www.osticket.com
    [2] - http://osticket.com/forums/project.php?issueid=118

  IV. VENDOR COMMUNICATION
    3.25.2009 - Vulnerability Discovery
    3.25.2009 - Vendor notification & initial vendor response
    6.26.2009 - Vendor releases fix in osTicket v1.6 RC5 

Copyright (c) 2009 nGenuity Information Services, LLC

Do you own a computer? Since you’re reading this let’s assume that you do. Does your computer have anti-virus software? Since you’re a reasonable, intelligent human being, let’s assume that it does. Do you also run something like Malwarebytes or SpyBotS&D? Since you’re a responsible netizen, let’s assume that you do. Does this mean that your computer is “secure”? Since your computer is on 24 hours a day, 365 days a year, let’s assume that it isn’t.

I can hear all of you now: “My antivirus is up to date! I’ve got nothing to worry about!”, “My spyware definitions are current, I’m protected!” The problem lies in a couple of factors; First, your antivirus was up to date the last time it was updated. Ten minutes later, you are still vulnerable. Second, I can’t count how many times I have been asked to look at a computer that was “running slow” or “acting funny”, only to find that it had been all but taken over by malware. These are computers with updated anti-virus, owned by people just like you and I who religiously check their systems for evil bits and eradicate them. Just kidding! Most of the time, I find the anti-virus software is out of date (usually because the subscription expired), and nobody has ever taken the time to check for malware.

The truth is, anti-virus software is, at best, an arms race. The companies who make anti-virus software are forever playing catchup to the people who write the viruses. They are perpetually one step behind, by design, because their technology is REACTIVE rather than PROACTIVE. Anti-virus software can not protect you until the bad stuff has already made it to your system, by which time it may be too late. In addition, if you don’t know what you’re doing you can actually harm your system by trying to run too many of these anti-malware applications at the same time, or worse, reduce productivity while people try to work around a system that is not optimized for your environment. If your system is too aggressive people will get in the habit of “clicking ok to make the box go away”, which can actually leave you more vulnerable to attack than if you didn’t have the software in the first place.

All of that being said, most anti-virus software does an excellent job of protecting you from known threats. Anti-malware software helps to clean your computer up after the evil bits have been installed. Both of these are important pieces of the security puzzle, but anyone who tells you, “Install this piece of software and you’ll be completely secure!”, is trying to sell you something. Any “security assessment” that only looks at whether your anti-virus software is up to date and you have the latest Microsoft patches installed is not a security assessment.

A lot of people today sell software wrapped up in a package with SECURE!!! written all over it, the number of people who can actually help you secure your priceless data is far lower.