ArcticDesk – Custom Module Local File Inclusion Vulnerability (R911-0132)

Type: LFI
Location: Remote
Impact: High
Product: ArcticDesk
Website: http://www.arcticdesk.com
Vulnerable Version: 1.2.4
Fixed Version: 1.2.5
CVE: -
R911: 0132
Date: 2014-03-07
By: Rack911

Product Description:

ArcticDesk is a lightweight support help desk solution. It lets you manage tickets, emails, announcements, articles, downloads and more, all in one place.

Vulnerability Description:

There is a local file inclusion vulnerability present within ArcticDesk that would allow a malicious user to open files which could yield sensitive information. Under the right circumstances, it may even be possible to turn this into a remote file inclusion which could allow a commands to be executed.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a malicious user can obtain sensitive data.

Vulnerable Version:

This vulnerability was tested against ArcticDesk v1.2.4.

Fixed Version:

This vulnerability was patched in ArcticDesk v1.2.5.

Vendor Contact Timeline:

2014-02-27: Vendor contacted via email.
2014-02-27: Vendor confirms vulnerability.
2014-03-07: Vendor issues 1.2.5 update.
2014-03-07: Rack911 issues security advisory.