Title: Cerberus Helpdesk multiple vulnerabilities.
Severity: Medium
Affected: cerberus-gui (2.649), support-center (2.649<->3.2.0pr2)
Problem type: remote
Author: Alejandro Ramos

Description:
-------------------------------------------------------------------------------

Cerberus Helpdesk is a WebGroup Media helpdesk suite based in php enviroment.
Official webpage: http://www.cerberusweb.com/



Details:
-------------------------------------------------------------------------------

support-center:
*******************************
a
    SQL injection in attachment_send.php (line 112):
        You can download files from other users or use blind sql injection attacks:
        Example url:
       .../support-center/cerberus-support-center/attachment_send.php?file_id=N [SQL] &thread_id=1
        CODE:
        $sql = "SELECT part_content FROM thread_attachments_parts WHERE file_id = $file_id";

    XSS:
    http://server/support-center/index.php?mod_id=2&kb_ask=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E



cerberus-gui (parser-related):
*******************************

There are few sql injections if XML is malicious generated:

    SQL injections in email_parser.php:

    Function: "is_queue_address" (line: 1397) doesn´t check properly the "$addy" value.  
     CODE:
        $sql = sprintf("SELECT q.queue_name, q.queue_mode, q.queue_email_display_name, ".
        "qa.queue_addresses_id, qa.queue_id, qa.queue_address, ".
        "qa.queue_domain, q.queue_prefix, q.queue_response_open, ".
        "q.queue_send_open, q.queue_response_gated ".
        "FROM queue_addresses qa ".
        "LEFT JOIN queue q USING (queue_id) ".
        "WHERE LOWER(qa.queue_address) = '%s' ".
        "AND LOWER(qa.queue_domain) = '%s'",
        strtolower($mailbox),
        strtolower($domain)

    Function: "is_banned_address" (line: 752) doesn´t check "$address" properly.
     CODE:
        SELECT a.address_banned FROM address a WHERE a.address_address = '".$address."'";
        
    Function: "is_admin_address" (line 1532) you can bypass this function using, as an email address, the following query: "'OR'u.user_superuser'='1'--".
      Example of result of this query:
        SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email = '' OR u.user_superuser = '1'
     CODE:
        SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email = '$address'";


    SQL injection in structs.php:
    Function: "cer_email_address_struct" (line: 167) doesn´t check the following query.
     CODE:
        $sql = "SELECT a.address_id,a.address_banned FROM address a WHERE a.address_address = '" . $a_address . "'";


cerberus-gui:
*******************************

    SQL injection in cer_KnowledgebaseHandler.class.php:
    Function: "_load_article_details" (line 270), you can fetch "superuser" md5 password with blind sql injection.
        Example URL:
            /cerberus-gui/knowledgebase.php?mode=view_entry&root=2&sid=c7bb6a0d5f83d61d75053c85c14af247&kbid=4 [SQL]
        CODE:
          $sql = "SELECT k.kb_id, k.kb_entry_date, k.kb_public, k.kb_category_id, k.kb_keywords, kp.kb_problem_summary, kp.kb_problem_text, kp.kb_problem_text_is_html, " .
          " ks.kb_solution_text, ks.kb_solution_text_is_html, kc.kb_category_name, u.user_login As entry_user, k.kb_avg_rating, k.kb_rating_votes " .
          " FROM knowledgebase k LEFT JOIN knowledgebase_problem kp ON (kp.kb_id=k.kb_id) LEFT JOIN knowledgebase_solution ks on (ks.kb_id=k.kb_id) ".
          " LEFT JOIN knowledgebase_categories kc ON (kc.kb_category_id=k.kb_category_id) LEFT JOIN user u ON (k.kb_entry_user=u.user_id) " .
          " WHERE k.kb_id = " . $kbid;
                   
    
    SQL injection in "addresses_export.php":
        Example URL:
          POST: /cerberus-gui/addresses_export.php
          sid=c61ce82aa50569705dd774c33644446c&queues%5B%5D=[SQL]&delimiter=comma&file_type=screen&form_submit=x
         CODE:
          $sql = "SELECT DISTINCT a.address_address FROM ticket t LEFT JOIN thread th ON (t.min_thread_id=th.thread_id)
           LEFT JOIN address a ON (th.thread_address_id=a.address_id) WHERE t.ticket_queue_id IN ($queues) ORDER BY a.address_address ASC;";
        
    SQL injection in "display.php". "$thread" is not checked
         CODE:
          $sql = "SELECT th.thread_address_id, a.address_address FROM thread th LEFT JOIN address a ON (th.thread_address_id = a.address_id) ".
          "WHERE th.thread_id = " . $thread;
               
    SQL injection in "display_ticket_thread.php" (line 52).
        Example URL:
          /cerberus-gui/display_ticket_thread.php?type=comment&sid=a640d024f84be01320aacb0ec6c87d74&ticket=[SQL]                
        CODE:
          $sql = "SELECT t.ticket_id, t.ticket_subject, t.ticket_status, t.ticket_date, t.ticket_assigned_to_id, t.ticket_queue_id, t.ticket_priority, th.thread_address_id,      ad.address_address, t.queue_addresses_id, q.queue_name " .
          "FROM ticket t, thread th, address ad, queue q " .
          "WHERE t.ticket_queue_id IN ($u_qids) AND th.ticket_id = t.ticket_id AND t.ticket_queue_id = q.queue_id AND th.thread_address_id = ad.address_id AND t.ticket_id = " . $ticket . " GROUP BY th.thread_id LIMIT 0,1";

                       
Solution:
-------------------------------------------------------------------------------
Not available, maybe changing every "$cerberus_db->query($sql)" to "$cerberus_db->escape($sql)".


History:
-------------------------------------------------------------------------------
15-20/Nov/2005  --- Bugs discovered
11/Dec/2005     --- The Author has been notified .
19/Dec/2005     --- Full Disclosure
           


--
A. Ramos
mailto: <aramosf@unsec.net>
http://www.unsec.net