Vision HelpDesk – Module Local File Inclusion (R911-0162)

Type: LFI
Location: Remote
Impact: Medium
Product: Vision HelpDesk
Website: http://www.thevisionworld.com/
Vulnerable Version: 3.8.8
Fixed Version: 3.9.6
CVE: -
R911: 0162
Date: 2014-06-05
By: RACK911

Product Description:

Vision Helpdesk is the only web based Help Desk Software that allows to manage support for multiple companies at one place with single staff portal for all companies and each company having its own client portal.

Vulnerability Description:

Due to a Local File Inclusion vulnerability present within the module functionality, it is possible for a malicious user to access files which could yield sensitive information.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that sensitive information could be obtained.

Vulnerable Version:

This vulnerability was tested against Vision HelpDesk 3.8.8 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in Vision HelpDesk 3.9.6.

Vendor Contact Timeline:

2014-05-15: Vendor contacted via email.
2014-06-05: Vendor confirms vulnerability.
2014-06-05: Vendor issues updates to all builds.
2014-06-05: Rack911 issues security advisory.