nGenuity

  • services
  • testimonials
  • about us
  • blog
  • advisories
  • contact us

Get a Security Assessment

osTicket Admin Login Blind SQL Injection

osTicket prior to v1.6 RC5 fails to validate / escape staff usernames which can be abused to execute a blind sql injection attack by an unauthenticated attacker.

Page of .
  • From the blog:
    • Path Privacy
    • Doing evil with the Cloud 9 IDE and Socket.io
    • DEFCON 19 - Pillaging DVCS Repos for fun and profit
  • Security advisories:
    • Cloud9 IDE Unauthorized Websocket
    • Abusing Campaign Monitor's proxy.php
    • phpPennyAuction bid.php SQL Injection
Archive

November 2011

July 2011

December 2010

August 2010

June 2010

March 2010

January 2010

August 2009

June 2009

March 2009

February 2009

January 2009

December 2008

January 2005

nGenuity Information Security | 509.396.2075 | Site by &yet