Kasper Bertelsen, a security researcher at Outpost24 has discovered a number of vulnerabilities in the Joomla Helpdesk Pro extension which can lead to remote code execution on servers.
The Helpdesk Pro Joomla extension is developed by Ossolution Team and implements a feature rich support ticket system for Joomla, one of the most popular CMS on the web.
The flaws uncovered by Bertelsen and his colleagues Simon Rawet, Kristian Varnai, and Gregor Mynarsky are quite common in web applications, the vulnerabilities include cross-site scripting, direct object references, SQL injection, local file injection, path traversal, and arbitrary file upload.
Below the code assigned to the vulnerabilities.
CVE-2015-4071 CVSS: 4.0 Direct Object References
CVE-2015-4072 CVSS: 6.5 Multiple XSS
CVE-2015-4073 CVSS: 7.8 SQL Injection
CVE-2015-4074 CVSS: 7.8 Local file disclosure/Path traversal
CVE-2015-4075 CVSS: 6.8 File Upload
As explained by the experts the flaws in the Joomla Helpdesk Pro extension leave the servers hosting the platform open to a number of cyber attacks.
“[The security issues] leave systems vulnerable to a wide variety of attack types, with effects ranging from disclosure of potentially sensitive information, to a complete server takeover with arbitrary code execution,” says . “All of these attacks have been shown to have the potential to cause serious harm, many of them with the very real possibility of a full compromise of the server, and even the most harmless attack disclosing sensitive information about users. “
According to the experts at Outpost24, the exploits work for Joomla HelpDesk Pro version 1.3.0, meanwhile no official tests have been done on early versions.
“All versions prior to 1.4.0, where the issues were finally patched, are suspected of being vulnerable.”
The experts described in detail the flaws reported, the local file disclosure hole, for example, could be exploited by hackers to access the configuration.php file that contains sensitive data like users’ credentials. The experts explained that the exploit works because an the service used to download and upload documents not properly restrict downloaded files.
“This information can give an attacker free access to the database, or even the ability to freely upload their own files to the server, where they could then be executed, giving them complete access to the server,” Bertelsen says.
Users are recommended to upgrade their software to the last version.
(Security Affairs – Joomla Helpdesk Pro , hacking)