How to remediate – OneOrZero Helpdesk tinfo.php Arbitrary File Upload

1. Introduction

The OneOrZero Helpdesk tinfo.php Arbitrary File Upload vulnerability allows attackers to upload files to a web server running the OneOrZero Helpdesk application. This could allow them to run malicious code on your server, potentially taking control of the system or accessing sensitive data. Systems affected are those running vulnerable versions of the OneOrZero Helpdesk PHP application with Task Attachments enabled. Successful exploitation can compromise confidentiality, integrity and availability.

2. Technical Explanation

The vulnerability exists because the ‘tinfo.php’ script does not properly validate files uploaded via a POST request containing the ‘send_email’ parameter. If ‘Task Attachments’ are enabled (the default setting), an attacker can upload any file type to the server. This allows them to upload a PHP shell, for example, and execute arbitrary code with the privileges of the web server user.

• Root cause: Missing input validation on uploaded files via the ‘tinfo.php’ script when the ‘send_email’ parameter is present.
• Exploit mechanism: An attacker sends a POST request to ‘tinfo.php’ with a malicious file attached and the ‘send_email’ parameter set. This uploads the file to the server, which can then be executed. For example, uploading a PHP shell containing code to list files in the current directory.
• Scope: OneOrZero Helpdesk application versions affected are not explicitly stated but this vulnerability is present on installations where Task Attachments are enabled.

3. Detection and Assessment

You can confirm if a system is vulnerable by checking the application version and whether Task Attachments are enabled. A thorough method involves attempting to upload a test file with malicious content.

• Quick checks: Log in to the OneOrZero Helpdesk control panel and check under ‘OneOrZero Settings’ to see if ‘Task Attachments’ is enabled.
• Scanning: Nessus vulnerability ID 32959 can detect this issue, but does not verify SQL injection.
• Logs and evidence: Examine web server logs for POST requests to ‘tinfo.php’ with the ‘send_email’ parameter. Look for unusual file extensions or content types in these requests.

# No command available as this requires application access. Check UI settings.

4. Solution / Remediation Steps

Disable Task Attachments within the OneOrZero Helpdesk control panel to prevent arbitrary file uploads. This is the recommended solution.

4.1 Preparation

• The roll back plan is to re-enable Task Attachments in the control panel if issues occur.
• A standard change window may be appropriate depending on your organisation’s policies. Administrator approval may be needed.

4.2 Implementation

1. Step 1: Log in to the OneOrZero Helpdesk application as an administrator.
2. Step 2: Navigate to ‘OneOrZero Settings’.
3. Step 3: Disable ‘Task Attachments’.
4. Step 4: Save your changes.

4.3 Config or Code Example

Before

// Task Attachments enabled in OneOrZero Settings (default)

After

// Task Attachments disabled in OneOrZero Settings

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this type of issue. Least privilege reduces the impact if exploited, and input validation blocks unsafe data from being processed. Safe defaults minimise initial exposure.

• Practice 1: Implement least privilege for web server user accounts to limit damage from code execution.
• Practice 2: Enforce strict input validation on all file uploads to reject malicious content and unexpected file types.

4.5 Automation (Optional)

No suitable automation script is available as this requires direct interaction with the application’s web interface.

# No script available for this vulnerability.

5. Verification / Validation

Confirm that Task Attachments are disabled and attempt to upload a test file to verify the fix. Check key user actions continue to work as expected.

• Post-fix check: Log in to the OneOrZero Helpdesk control panel and confirm ‘Task Attachments’ is disabled under ‘OneOrZero Settings’.
• Re-test: Attempt to upload a test PHP file via the ‘tinfo.php’ script; the upload should fail or be rejected.
• Smoke test: Verify that other helpdesk functions, such as creating and viewing tickets, still work correctly.
• Monitoring: Monitor web server logs for failed file uploads to ‘tinfo.php’. Look for error messages related to file validation.

# No command available - check UI settings and attempt a test upload.

6. Preventive Measures and Monitoring

Update security baselines to include disabling Task Attachments in OneOrZero Helpdesk. Implement input validation checks during development or deployment. A regular patch review cycle helps identify and address vulnerabilities quickly.

• Baselines: Update your web server security baseline to recommend disabling ‘Task Attachments’ by default in OneOrZero HelpDesk installations.
• Pipelines: Integrate static application security testing (SAST) into your CI/CD pipeline to identify input validation issues early in the development process.

7. Risks, Side Effects, and Roll Back

Disabling Task Attachments may impact users who rely on attaching files to tickets. The roll back steps are simple: re-enable the feature in the control panel.

• Risk or side effect 1: Users may be unable to attach files to support requests, potentially slowing down issue resolution.
• Risk or side effect 2: No other known service impacts.
• Roll back:
  1. Step 1: Log in to the OneOrZero Helpdesk application as an administrator.
  2. Step 2: Navigate to ‘OneOrZero Settings’.
  3. Step 3: Enable ‘Task Attachments’.
  4. Step 4: Save your changes.

8. References and Resources

• Vendor advisory or bulletin: SecurityFocus BID 32959
• NVD or CVE entry: No specific CVE is listed for this vulnerability.
• Product or platform documentation relevant to the fix: No official OneOrZero Helpdesk documentation available regarding this specific issue.