PmTicket Project-Management-Software Authentication Bypass Vulnerability via Insecure Deserialization

An authentication bypass vulnerability has been identified in PmTicket Project-Management-Software versions prior to commit 2ef379da2075f4761a2c9029cf91d073474e7486. The issue arises in the 'loadLanguage' function within 'classes/class.database.php', specifically in the Cookie Handler component. The vulnerability allows for insecure deserialization of user input from cookies, enabling remote attackers to craft malicious cookie values that bypass authentication.

Impact

Exploitation of this vulnerability leads to unauthorized access, allowing attackers to authenticate as users, potentially with elevated privileges.

Reproduction

The vulnerability can be reproduced by sending a crafted cookie that exploits the insecure deserialization in the 'loadLanguage' function. This can be done using a JavaScript snippet that serializes an object with specific user information, such as a user ID and username, and then sets it as a cookie. Once the cookie is accepted by the application, the deserialized data is used to authenticate the user, effectively bypassing login requirements.