SEC Consult Vulnerability Lab Security Advisory < 20130904-0 >
=======================================================================
              title: Undocumented password reset and admin takeover &
                     Cross-Site Scripting vulnerabilities
            product: GroupLink everything HelpDesk
 vulnerable version: <=10.0.3
      fixed version: -
             impact: Critical
           homepage: http://www.grouplink.com
              found: 2013-07-10
                 by: V. Paulikas, J. Greil
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"everything HelpDesk by GroupLink was designed as an all in one solution
for any department in your organization. This solution enables departments
to track, automate, and report on incident resolution, change management,
and business processes in IT, Human Resources, Facilities Maintenance,
Development, Purchasing Departments and more."

http://www.grouplink.com


Business recommendation:
------------------------
By exploiting the undocumented password reset vulnerability, an
_unauthenticated_ attacker can gain administrative access to the affected
Helpdesk system very easily and access sensitive internal information of the
company, such as all tickets, user accounts, configuration/passwords in clear
text (e.g. database credentials), knowledge base, etc.

It is highly recommended not to use this software until a thorough security
review has been performed by security professionals. As a workaround, the
software should not be accessible from the Internet. Limit access only to
trusted users internally.

It is assumed that further critical vulnerabilities exist, as only a very
short sample test has been performed.


Vulnerability overview/description:
-----------------------------------
1) Cross-Site Scripting

The web application is prone to unauthenticated reflected Cross-Site Scripting
attacks. The vulnerability can be used to include HTML or JavaScript code to
the affected web page. The code is executed in the browser of users if they
visit the manipulated site.


2) Undocumented / insecure password reset function

The web application normally allows resetting the password of the user by
supplying the email address of the user. If a specific static, easily
guessable string is passed instead of the user email, the password of the
admin user is being reset to a default value which is publicly
known/documented.

After the password reset procedure an unauthenticated, anonymous attacker is
able to access the administrative panel of the HelpDesk web application with
highest access rights. Attackers then gain access to highly sensitive
information depending on the usage of the helpdesk system (internal tickets,
user database, configuration/passwords in clear text (e.g. database
credentials), knowledge base information, etc).



Proof of concept:
-----------------
1) Cross-Site Scripting
Cross-Site Scripting vulnerabilities can be exploited by tricking the user
into accessing a specially crafted URL. This vulnerability was identified in
scripts provided below:

/j_acegi_security_check  (unauthenticated in login page)
/config/assignments      (only authenticated)

Proof of concept URLs have been removed as the vendor did not supply any
patches.

      
2) Undocumented / insecure password reset function
In order to exploit the insecure password reset function it is sufficient
to supply a certain easily guessable string as the email address. This
information has been removed from the advisory, as the vendor did not supply
any patches.

The password of the administrative account "admin" is then set to a default
value of "admin" which can be used for login afterwards.

The url of the password reset function:
http[s]://www.example.com/ehelpdesk/resetPassword.aglml


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in everything HelpDesk version
10.0.3, which was the most recent version at the time of discovery.


Vendor contact timeline:
------------------------
2013-07-17: Contacting vendor through info@grouplink.net &
            support@grouplink.net, asking for security contact
2013-07-17: Auto-reply of ticket system, ticket automatically closed as SPAM
2013-07-18: Requesting security contact again, via their ticket (helpdesk)
            system
2013-07-24: Still no reply, sending deadline (4th September) of security
            advisory release to info@grouplink.net, support@grouplink.net,
            sales@grouplink.net and multiple other contact email addresses
            that we automatically received from their ticket system
2013-07-24: Vendor response, accusing us of phishing/spamming
            Still no security contact provided, asking again, giving deadline
            for vendor response (2013-07-30)
2013-07-25: Vendor HelpDesk ticket has been set to "closed"
2013-07-31: Telling vendor that security vulnerability will be published on
            4th September (no response)
2013-08-14: Answer from Grouplink, asking for advisory details
2013-08-21: Sending advisory details
2013-08-27: Vendor: "undocumented reset admin feature has been removed" and
            XSS fixed in next maintenance release (10.0.4) due to "next week"
2013-09-04: Public release of security advisory



Solution:
---------
No vendor patches available. Immediately upgrade to version 10.0.4 as soon
as it is available.


Workaround:
-----------
Restrict access to the software as much as possible and only allow access for
trusted users and not from the Internet.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF V. Paulikas, J. Greil / @2013