ArcticDesk – Arbitrary File Upload (R911-0047)

Type: Arbitrary File Upload
Location: Remote
Impact: High
Product: ArcticDesk
Website: http://www.arcticdesk.com
Vulnerable Version: 1.2.0
Fixed Version: 1.2.1
CVE: -
R911: 0047
Date: 2013-07-24
By: http://www.rack911.com

Product Description:

ArcticDesk is a lightweight support help desk solution. It lets you manage tickets, emails, announcements, articles, downloads and more, all in one place.

Vulnerability Description:

An attacker can manipulate the attachments field when submitting a trouble ticket to upload any file they want regardless of the file extension being used. From there, the attacker can upload a malicious PHP file that can gain access to the account through a web shell or other means to compromise the MySQL database or modify files.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a malicious user can upload any file and potentially gain access to the database and/or other files under the software.

Vulnerable Version:

This vulnerability was tested against ArcticDesk v1.2.0.

Fixed Version:

This vulnerability was patched in ArcticDesk v1.2.1.

Vendor Contact Timeline:

2013-05-02: Vendor contacted via email.
2013-05-02: Vendor confirms vulnerability.
2013-06-25: Vendor issues 1.2.1 update.
2013-07-24: Rack911 issues security advisory.