Outpost24 researcher Kasper Bertelsen has warned of several vulnerabilities in Joomla's Helpdesk Pro which can lead to remote code execution on servers.

The Helpdesk Pro Joomla extension allows users to categorise and log support tickets with managers who receive notifications.

eBay, Heathrow Airport and the High Court of Australia are a few of the millions of entities that use Joomla.

The flaws turned up by Bertelsen's colleagues Simon Rawet, Kristian Varnai, and Gregor Mynarsky were straight out of insecurity-for-dummies: direct object references, cross-site scripting, SQL injection, local file injection, path traversal and arbitrary file upload.

"[The vulns] leave systems vulnerable to a wide variety of attack types, with effects ranging from disclosure of potentially sensitive information, to a complete server takeover with arbitrary code execution," said.

"All of these attacks have been shown to have the potential to cause serious harm, many of them with the very real possibility of a full compromise of the server, and even the most harmless attack disclosing sensitive information about users."

The local file disclosure hole worked because an attachment download and upload service does not properly restrict downloaded files. An attacker can grab the configuration.php file, for example, which contains sensitive information, like database usernames and passwords and FTP credentials.

"This information can give an attacker free access to the database, or even the ability to freely upload their own files to the server, where they could then be executed, giving them complete access to the server," Bertelsen said.

HelpDesk Pro version 1.3.0 has been flagged as vulnerable but all versions below 1.4.0 are also suspected of being exposed. Users have been advised to upgrade to the latest offering. ®