Open ISES Tickets SQL Injection Vulnerability in tables.php Prior to Version 3.44.2

A SQL injection vulnerability has been identified in Open ISES Tickets versions prior to 3.44.2. The issue resides in tables.php, where multiple POST parameters (tablename, indexname, sortby) are concatenated into table and column identifiers for dynamically generated SQL SELECT, UPDATE, and DELETE statements without proper sanitization. This flaw allows authenticated attackers to manipulate the SQL queries to read, modify, or delete database content.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to a vulnerable Open ISES Tickets instance running a version prior to 3.44.2. Include crafted values in the 'tablename', 'indexname', and 'sortby' parameters that exploit the lack of SQL injection protection. The absence of proper input sanitization allows these parameters to be manipulated, altering the SQL query execution and potentially leading to unauthorized database access or modifications.

Remediation

Users are advised to upgrade to Open ISES Tickets version 3.44.2 or later, where this vulnerability has been patched.