Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

Multiple osTicket exploits!
 View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other
Author Message
oprime2001
Worker
Worker



Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA
PostPosted: Sat Jun 26, 2004 11:37 am Reply with quote
I don't know if other nukers use Only registered users can see links on this board! Get registered or login! or not, but there is an advisory that was recently released. Some @$$hole from 62.118.158.71 tried it on my support site.

Please refer to:
Only registered users can see links on this board! Get registered or login!

Developer discussion board at:
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
oprime2001
PostPosted: Sun Jun 27, 2004 7:43 am Reply with quote
Just received the following email from the developer's mailing list.

Quote:

osTicket just released a security alert. Below is the security alert as posted. Please note that a fix has been reased and you are urgently asked to patch your systems .

This security update addresses possible security exploits in attachments upload and ticket ids. The fix appears in the latest release (1.2.7 ). If you have osTicket installed, install updates as soon as possible. If your install is part of a shared system, contact your hosting company or system administrator.

Exploits Summary.
Remote user can upload and execute malicious code, if FileTypes patch
is not yet applied (Patch released on 10-22-2003).
Current release does not require users to validate email used to open a ticket via on-line form.
Users can submit files larger then maximum file size allowed.

Bug fixes/Solutions
Robust FileTypes and FileSize restriction.
Only authenticated users are allowed to submit attachments.
No instant login anymore users have to check their email to get the ticket ids.
Forced download for attachments ( No more in-line view)
Hidden attachment directory.( Hide directory path and name)

Disclaimer
Please note that we are NOT responsible for updating osTicket distributed by hosts, autoninstallers or any other third-party.

There is no warranty, expressed or implied, associated with this product. Use at your own risk.

Download the latest release NOW
http://www.osticket.com/index.php?option=com_downloads&Itemid=50&func=fileinfo&filecatid=6

osTicket
http://www.osticket.com
 
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088
PostPosted: Sun Jun 27, 2004 7:58 am Reply with quote
Thanks for the Alert and the Fix notification!
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©