Ticket System / To-Do Management

[blackcell]

Please don't break it. I would like to know about bugs if you find them. FYI the password changing is disabled. Here are links for multiple users because I think it should boot someone off if it 2 users log in as the same name:

 

User1 - www.gayloraid.com/Tickets/admin/index.php?user=tester2@tickets.com&pass=123456789

User2 - www.gayloraid.com/Tickets/admin/index.php?user=tester3@tickets.com&pass=123456789

User3 - www.gayloraid.com/Tickets/admin/index.php?user=tester4@tickets.com&pass=123456789

User4 - www.gayloraid.com/Tickets/admin/index.php?user=tester5@tickets.com&pass=123456789

User5 - www.gayloraid.com/Tickets/admin/index.php?user=tester6@tickets.com&pass=123456789

User6 - www.gayloraid.com/Tickets/admin/index.php?user=tester7@tickets.com&pass=123456789

User7 - www.gayloraid.com/Tickets/admin/index.php?user=tester8@tickets.com&pass=123456789

User8 - www.gayloraid.com/Tickets/admin/index.php?user=tester9@tickets.com&pass=123456789

 

Also, I am no security expert so I would like to know about security exploits, sql injection and such if you find it.

 

EDIT:

Feel free to enter data, edit data, close tickets, assign tickets, blah blah blah.

Also, the typical users' interface is here: www.gayloraid.com/Tickets/

[blackcell]

One more thing,

I built this using Firefox and have no desire to make this 100% compatible with IE. I consider IE a plague that preys on the ignorant, therefore I will leave it to one of those to make it compatible.

[Coreye]

Cross Site Scripting(XSS):

You can submit ">code when editing the tickets.

 

Cross Site Scripting(XSS):

You can submit ">code when adding projects.

 

Cross Site Scripting(XSS):

You can submit ">code when adding solutions.

 

Full Path Disclosure:

When adding a user.

Warning: fsockopen() [function.fsockopen]: php_network_getaddresses: getaddrinfo failed: Name or service not known in /home/bgaylor/public_html/Tickets/admin/mailer/class.smtp.php on line 105

 

Warning: fsockopen() [function.fsockopen]: unable to connect to :25 in /home/bgaylor/public_html/Tickets/admin/mailer/class.smtp.php on line 105

Message was not sent

 

Mailer Error: Language string failed to load: connect_host

 

Full Path Disclosure:

http://www.gayloraid.com/Tickets/admin/mailer/newTicket.php

Fatal error: Call to undefined function: mailer_host() in /home/bgaylor/public_html/Tickets/admin/mailer/newTicket.php on line 11

 

Full Path Disclosure:

http://www.gayloraid.com/Tickets/admin/mailer/sendMail.php

Fatal error: Call to undefined function: mailer_host() in /home/bgaylor/public_html/Tickets/admin/mailer/sendMail.php on line 11

 

SQL Error:

http://www.gayloraid.com/Tickets/admin/panel_tickets_show.php?WHERE=a

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

[blackcell]

1) Cross Site Scripting(XSS):

If Cross Site Scripting is the ability to add html, I want to eventually add a text formatting toolbar to it. What are the dangers right now?

What is the best way to combat XSS?

 

Edit:

Removed Question.

 

3) Where the fsockopen() come from?

 

4) How did you manage to get this:

SQL Error:

http://www.gayloraid.com/Tickets/admin/panel_tickets_show.php?WHERE=a

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

 

LOL @ marquees by the way.

[blackcell]

What were you doing to get these:

Full Path Disclosure:

When adding a user.

Quote

Warning: fsockopen() [function.fsockopen]: php_network_getaddresses: getaddrinfo failed: Name or service not known in /home/bgaylor/public_html/Tickets/admin/mailer/class.smtp.php on line 105

 

Warning: fsockopen() [function.fsockopen]: unable to connect to :25 in /home/bgaylor/public_html/Tickets/admin/mailer/class.smtp.php on line 105

Message was not sent

 

Mailer Error: Language string failed to load: connect_host

 

Full Path Disclosure:

http://www.gayloraid.com/Tickets/admin/mailer/newTicket.php

Quote

Fatal error: Call to undefined function: mailer_host() in /home/bgaylor/public_html/Tickets/admin/mailer/newTicket.php on line 11

 

Full Path Disclosure:

http://www.gayloraid.com/Tickets/admin/mailer/sendMail.php

Quote

Fatal error: Call to undefined function: mailer_host() in /home/bgaylor/public_html/Tickets/admin/mailer/sendMail.php on line 11

[keeB]

Your UI gave me a headache.

[blackcell]

Would you happen to know why so that I may fix it?

[keeB]

Why it gave me a headache?

 

The color's were too bland and everything was stuck tvery tight.

 

Then I click and look at the 'Urgent' tickets in yellow. I guess I'm light sensitive today but I had to shut it off.

 

Space is your friend. Use it.

[blackcell]

Space is something that is hard to manage when you are building this for people likely to use 1024x768. Do you have any suggestions to get around that? I have been searching for awhile.

[keeB]

use % instead of absolute

[blackcell]

Let me work it.

[keeB]

Looks better already. Get rid of the gradient, and use some padding.

[blackcell]

I haven't done anything. What gradient, the grey to silver headers?

[keeB]

Yep

[blackcell]

Released some updates to the system. Still working on some things.

[ev5unleash]

Hey, when your done, Mind giving me the php files. Been looking around for something like this.

[keeB]

This looks 10,000 times better. The bar fading has GOT TO GO, though. Seriously. Make it a solid color like dark blue or something.

[blackcell]

Ok I have updated the graphics a bit. Take a look now.

[ev5unleash]

I would make the interface look simpler and less complex. Just a suggestion if you want to make the service easier and faster to use.

[blackcell]

Could you provide an example? I find it simple but most are arguing that it is complex. I don't see it? Thanks.

[darkfreaks]

Password type input with autocomplete

 

The impact of this vulnerability

Possible sensitive information disclosure

How to fix this vulnerability

The password autocomplete should be disabled in sensitive applications.

To disable autocomplete, you may use a code similar to:

<INPUT TYPE="password" AUTOCOMPLETE="off">

 

Vulnerability description

HTTP TRACE method is enabled on this web server. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method.

This vulnerability affects Web Server.

The impact of this vulnerability

Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data.

 

How to fix this vulnerability

Disable TRACE Method on the web server

 

Apache Mod_SSL SSL_Util_UUEncode_Binary Stack Buffer Overflow Vulnerability

Vulnerability description

This alert was generated using only banner information. It may be a false positive.

 

A stack-based buffer overflow has been reported in the Apache mod_ssl module. This issue would most likely result in a denial of service if triggered, but could theoretically allow for execution of arbitrary code. The issue is not believed to be exploitable to execute arbitrary code on x86 architectures, though this may not be the case with other architectures.

 

Affected mod_ssl versions (up to 2.8.17).

 

This vulnerability affects mod_ssl.

The impact of this vulnerability

Denial of service and/or possible arbitrary code execution.

 

Attack details

Current version is mod_ssl/2.2.8 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/4.4.8

 

 

How to fix this vulnerability

Upgrade mod_ssl to the latest version.

 

[blackcell]

Thanks dark.

[darkfreaks]

not a prob let me know when its fixed ill rescan to be sure

[Maldian]

Nice system there... I was thinking about creating one for my office here. We are a computer company with 4 techs. I wanted to get a bit more in depth with it. I like the system.

 

I am new to the board here and already am impressed.

[blackcell]

What is your email Maldian?