{"vuid":"VU#294272","idnumber":"294272","name":"ReadyDesk contains multiple vulnerabilities","keywords":["readydesk","sqli","directory traversal","hard-coded key","arbitrary upload"],"overview":"ReadyDesk, version 9.1 and possibly others, contains SQL injection, path traversal, hard-coded cryptographic key, and arbitrary file upload vulnerabilities that may be leveraged to expose sensitive data and execute arbitrary code in the context of the vulnerable software.","clean_desc":"ReadyDesk is a help desk ticketing web application designed to facilitate business internal or business to customer interactions. CWE-89: Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') - CVE-2016-5048 The user name field of http://<IP>/readydesk/chat/staff/default.aspx fails to properly escape single quote characters, or ', provided as field input. Through error-based, blind SQL injection attacks, a remote, unauthenticated attacker may obtain full database contents, including user passwords which are stored as SHA1 hashes. CWE-22: Improper Limitation of a Pathname to a Restricted Directory - CVE-2016-5049 The SESID parameter of requests to http://<IP>/readydesk/chat/openattach.aspx is vulnerable to directory traversal and may be exploited to read arbitrary files on affected systems when combined with the FNAME parameter. For instance, to download SQL_Config.aspx, an attacker would make a request to: http://<IP>/readydesk/chat/openattach.aspx?SESID=..\\..\\hd\\data&FNAME=SQL_Config.aspx CWE-321: Use of Hard-coded Cryptographic Key - CVE-2016-5683 SQL Server user credentials stored in SQL_Config.aspx are encrypted using a hard-coded cryptographic key found in ReadyDesk.dll. An attacker capable of obtaining the encrypted password can easily decrypt it for use in further attacks. CWE-434: Unrestricted Upload of File with Dangerous Type - CVE-2016-5050 Files uploaded via http://<IP>/readydesk/chat/sendfile.aspx are not properly validated, allowing for arbitrary upload of files with a dangerous type. A remote, unauthenticated attacker could execute arbitrary code by uploading and making a request to a specially crafted aspx page. The CVE score below describes CVE-2016-5050.","impact":"A remote, unauthenticated attacker can obtain sensitive database information, read arbitrary files, and execute arbitrary code in the context of the vulnerable software.","resolution":"The CERT/CC is currently unaware of a practical solution to these problems. A vendor advisory for version 9.2 states that it contains \"Critical Security Updates,\" though details are not provided and it is unknown whether any of the vulnerabilities described above are addressed.","workarounds":"","sysaffected":"","thanks":"Thanks to Andrew Tierney of Pen Test Partners for reporting these vulnerabilities.","author":"This document was written by Joel Land.","public":["http://www.readydesk.com/","https://cwe.mitre.org/data/definitions/89.html","https://cwe.mitre.org/data/definitions/22.html","https://cwe.mitre.org/data/definitions/321.html","https://cwe.mitre.org/data/definitions/434.html"],"cveids":["CVE-2016-5048","CVE-2016-5049","CVE-2016-5683","CVE-2016-5050"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2016-08-09T16:13:26Z","publicdate":"2016-08-16T00:00:00Z","datefirstpublished":"2016-08-16T13:59:12Z","dateupdated":"2016-08-16T13:59:12Z","revision":21,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"P","cvss_availabilityimpact":"P","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"UR","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"7.5","cvss_basevector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","cvss_temporalscore":"6.4","cvss_environmentalscore":"4.79953764322594","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}