Sql injection

hitha

While audited for security some vulnerabilities reported.
Sql injection.
response form
osticket/upload/scp/tickets.php?id=14&_pjax=%23pjax-container%27
osticket/upload/scp/js?query=query%27+AND+%271%27%3D%271%27+--+
osticket/upload/scp/logo.php?1642066501=%27+AND+%271%27%3D%271%27+--+
osticket/upload/scp/login.php

please help

KevinTheJedi

@hitha

Can you prove SQL injection or are you just seeing a response and thinking it executed (ie. false positive)? You will need to create a POC that proves SQL can be injected and once you do that you can submit it to the security team at security[at]osticket[dot]com.

Cheers.

ntozier

Also, as a side note, you would want to report replicable security concerns to the Devs directly.
https://github.com/osTicket/osTicket/blob/develop/SECURITY.md