Open ISES Tickets SQL Injection Vulnerability in GPS Tracking Integration

A SQL injection vulnerability has been identified in Open ISES Tickets versions prior to 3.44.2. The issue resides in 'incs/remotes.inc.php', where data from external GPS tracking services (InstaMapper and Google Latitude) is improperly sanitized before being included in SQL UPDATE and INSERT statements. An attacker who can compromise or mimic the remote GPS tracker can exploit this vulnerability to manipulate location data, tracking information, and assignment records.

Impact

Exploitation of this vulnerability allows for SQL injection, which could be used to manipulate database records or execute arbitrary SQL commands.

Reproduction

The vulnerability can be reproduced by sending a request to a ticket that includes GPS data from an exploited tracking service. The injected SQL will be executed, potentially altering ticket information or other database records.

Remediation

Users are advised to update to Open ISES Tickets version 3.44.2 or later, where this vulnerability has been patched.