Vulnerability  – ReadyDesk contains multiple vulnerabilities

ReadyDesk, version 9.1 and possibly others, contains SQL injection, path traversal, hard-coded cryptographic key, and arbitrary file upload vulnerabilities that may be leveraged to expose sensitive data and execute arbitrary code in the context of the vulnerable software.DescriptionReadyDesk is a help desk ticketing web application designed to facilitate business internal or business to customer interactions.CWE-89: Improper Neutralization of Special Elements used in a SQL Command (‘SQL Injection’) – CVE-2016-5048The user name field of http:///readydesk/chat/staff/default.aspx fails to properly escape single quote characters, or ‘, provided as field input. Through error-based, blind SQL injection attacks, a remote, unauthenticated attacker may obtain full database contents, including user passwords which are stored as SHA1 hashes.CWE-22: Improper Limitation of a Pathname to a Restricted Directory – CVE-2016-5049The SESID parameter of requests to http:///readydesk/chat/openattach.aspx is vulnerable to directory traversal and may be exploited to read arbitrary files on affected systems when combined with the FNAME parameter. For instance, to download SQL_Config.aspx, an attacker would make a request to:http:///readydesk/chat/openattach.aspx?SESID=..\..\hd\data&FNAME=SQL_Config.aspxCWE-321: Use of Hard-coded Cryptographic Key – CVE-2016-5683SQL Server user credentials stored in SQL_Config.aspx are encrypted using a hard-coded cryptographic key found in ReadyDesk.dll. An attacker capable of obtaining the encrypted password can easily decrypt it for use in further attacks.CWE-434: Unrestricted Upload of File with Dangerous Type – CVE-2016-5050Files uploaded via http:///readydesk/chat/sendfile.aspx are not properly validated, allowing for arbitrary upload of files with a dangerous type. A remote, unauthenticated attacker could execute arbitrary code by uploading and making a request to a specially crafted aspx page.The CVE score below describes CVE-2016-5050.ImpactA remote, unauthenticated attacker can obtain sensitive database information, read arbitrary files, and execute arbitrary code in the context of the vulnerable software.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s