Pentation Test Findings
Posted: Mon Jun 19, 2023 9:04 pm
Hello,
I'm writing this to let everyone know of some findings from a recently pentation test our company has completed. As part of our testing and resolution we are required to submit any finds we come upon to the software vendor.
Hesk was noted on our finds -- Below are the notes from the testing.
Affected components:
/Admin/admin_submit_ticket.php
/Admin/edit_post.php
/Admin/admin_reply_ticket.php
/attachments/{attachment}
The assessment discovered an arbitrary file upload vulnerability in the Hesk application hosted on the support.fmlh-education.com server. A privileged threat actor who successfully uploads a custom ASPX file containing a web shell after editing the file extension whitelist is to be able to achieve arbitrary command execution on the underlying web server, including browsing the file system, reading file content, and obtaining secrets from configuration files.
Recommendation:
- it is recommended to submit a request to the application vendor to prevent the application administrator from allowing the upload of arbitrary file types. An administrator should be limited to choosing allowed file types from a known-safe list. Alternatively, configuration of allowed file types may be controlled by a method outside of the application administrator's influence; this would prevent an administrator from allowing dangerous file types to gain operating system level access.
If you have suggestion regarding how to remedy this please let me know, we have already turned off ASPX script execution on the server.
Thank you
Chris Peterson
I'm writing this to let everyone know of some findings from a recently pentation test our company has completed. As part of our testing and resolution we are required to submit any finds we come upon to the software vendor.
Hesk was noted on our finds -- Below are the notes from the testing.
Affected components:
/Admin/admin_submit_ticket.php
/Admin/edit_post.php
/Admin/admin_reply_ticket.php
/attachments/{attachment}
The assessment discovered an arbitrary file upload vulnerability in the Hesk application hosted on the support.fmlh-education.com server. A privileged threat actor who successfully uploads a custom ASPX file containing a web shell after editing the file extension whitelist is to be able to achieve arbitrary command execution on the underlying web server, including browsing the file system, reading file content, and obtaining secrets from configuration files.
Recommendation:
- it is recommended to submit a request to the application vendor to prevent the application administrator from allowing the upload of arbitrary file types. An administrator should be limited to choosing allowed file types from a known-safe list. Alternatively, configuration of allowed file types may be controlled by a method outside of the application administrator's influence; this would prevent an administrator from allowing dangerous file types to gain operating system level access.
If you have suggestion regarding how to remedy this please let me know, we have already turned off ASPX script execution on the server.
Thank you
Chris Peterson