Open ISES Tickets SQL Injection Vulnerability in List Requests Ajax Endpoint

A SQL injection vulnerability has been identified in Open ISES Tickets versions prior to 3.44.2. The issue resides in the portal/ajax/list_requests.php file, where the sort and dir GET parameters are improperly concatenated into the ORDER BY clause of a SQL SELECT statement without adequate sanitization. This vulnerability allows authenticated attackers to manipulate the query execution to read, modify, or delete database contents.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the portal/ajax/list_requests.php endpoint with crafted sort and dir GET parameters. These parameters should be designed to manipulate the SQL query's ORDER BY clause, taking advantage of the lack of proper input sanitization.

Remediation

Users are advised to upgrade to Open ISES Tickets version 3.44.2 or later, where this vulnerability has been patched.