Vision HelpDesk – Various Modules Local File Inclusions (R911-0178)

Type: Local File Inclusion(s)
Location: Local
Impact: High
Product: Vision HelpDesk
Website: https://www.visionhelpdesk.com
Vulnerable Version: All prior versions.
Fixed Version: 4.1.2
CVE: -
R911: 0178
Date: 2015-05-23
By: RACK911 Labs

Product Description:

Vision Helpdesk is the only web based Help Desk Software that allows to manage support for multiple companies at one place with single staff portal for all companies and each company having its own client portal.

Vulnerability Description:

There are various modules within the Vision HelpDesk that suffer from your typical local file inclusion that could lead to a compromise under certain circumstances. Most of the risk would be if the software was installed in a shared hosting environment which is a high probability as it is bundled with the popular Softaculous one-click installer.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that the entire help desk can be compromised if this vulnerability were successfully exploited.

Vulnerable Version:

This vulnerability was tested against Vision HelpDesk 4.0.2 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in Vision HelpDesk 4.1.2.

Vendor Contact Timeline:

2015-05-17: Vendor contacted via email.
2015-05-17: Vendor confirms vulnerability.
2015-05-23: Vendor issues updates to all builds.
2015-05-23: RACK911 Labs issues security advisory.