Hello,
I'm writing this to let everyone know of some findings from a recently pentation test our company has completed. As part of our testing and resolution we are required to submit any finds we come upon to the software vendor.
Hesk was noted on our finds -- Below are the notes from the testing.
Affected components:
/Admin/admin_submit_ticket.php
/Admin/edit_post.php
/Admin/admin_reply_ticket.php
/attachments/{attachment}
The assessment discovered an arbitrary file upload vulnerability in the Hesk application hosted on the support.fmlh-education.com server. A privileged threat actor who successfully uploads a custom ASPX file containing a web shell after editing the file extension whitelist is to be able to achieve arbitrary command execution on the underlying web server, including browsing the file system, reading file content, and obtaining secrets from configuration files.
Recommendation:
- it is recommended to submit a request to the application vendor to prevent the application administrator from allowing the upload of arbitrary file types. An administrator should be limited to choosing allowed file types from a known-safe list. Alternatively, configuration of allowed file types may be controlled by a method outside of the application administrator's influence; this would prevent an administrator from allowing dangerous file types to gain operating system level access.
If you have suggestion regarding how to remedy this please let me know, we have already turned off ASPX script execution on the server.
Thank you
Chris Peterson
Pentation Test Findings
Moderator: mkoch227
Re: Pentation Test Findings
I don't know who made your penetration testing and the details of the tests, but:
Even when you do that, Hesk stores attachments with random names. To execute the file, you have to know the exact (random) file name. You can do that by looking into the attachments folder contents. And if you can do that, you already have access to the server (you didn't get it through Hesk)!
If you can share the details of your testing in a private message or directly to kstirn AT hesk DOT com, I will be happy to have a look.
This means they edited Hesk settings to allow "aspx" files to be uploaded to the server. So you must explicitly enable Hesk to upload these kinds of files (in Hesk admin panel > Settings > Attachments > Allowed file types.after editing the file extension whitelist
Even when you do that, Hesk stores attachments with random names. To execute the file, you have to know the exact (random) file name. You can do that by looking into the attachments folder contents. And if you can do that, you already have access to the server (you didn't get it through Hesk)!
If you can share the details of your testing in a private message or directly to kstirn AT hesk DOT com, I will be happy to have a look.
Klemen, creator of HESK and PHPJunkyardWas this helpful? You can buy me a drink here 
You should follow me on Twitter here
Help desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools
You should follow me on Twitter hereHelp desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools
Re: Pentation Test Findings
I agree, I figured if they had admin access we had a bigger issue then the file type Hesk was allowing. I didn't know about the random file name change, that is good to know. I also had ASPX execution turned off on the server so I was slightly skeptical of how they would have even run the file assuming it was uploaded.
I will see if I can get more information from the company regarding this to send over.
Thank you
I will see if I can get more information from the company regarding this to send over.
Thank you