A critical security flaw has been discovered in Halo ITSM, an IT support management software widely deployed across cloud and on-premise environments.
The vulnerability, which allows attackers to inject malicious SQL code, poses a significant threat to organizations relying on the software to manage IT support tickets containing sensitive data such as credentials and internal documentation.
The issue was uncovered through a security audit conducted by researchers who flagged a pre-authentication SQL injection vulnerability in Halo ITSM’s codebase.
This vulnerability stems from poor security practices, including inconsistent use of object-relational mapping (ORM) and unsafe string concatenation in SQL queries.
Details of the Vulnerability
The root cause of the vulnerability lies in the use of weakly typed objects, which fail to enforce strict data types.
Specifically, the issue is linked to the PostLogMeIn function in the API controller NetHelpDesk.API/Controllers/NotifyController.cs.
This controller accepts untyped dictionary objects, thereby enabling attackers to manipulate input data and inject malicious SQL commands.
The vulnerable code processes JSON objects sent in HTTP POST requests without proper input validation or sanitization.
A crafted request can exploit this flaw by including malicious SQL in the techid parameter, as demonstrated in the proof-of-concept (PoC) request below:
Example Exploit:
POST /api/Notify HTTP/2
Host: vulnerablehost
Content-Type: application/json
{
"sessionid": "SESSION_ID_VALUE",
"tracking0": "ticket12345",
"techid": "1;waitfor delay '0:0:10'--",
"pickuptime": "2025-03-03T10:00:00",
"lastactiontime": "2025-03-03T11:30:00"
}When this request is sent, the SQL query execution is delayed for 10 seconds, confirming the vulnerability’s exploitability.
Since authentication is not enforced on this specific API endpoint, the attack can be carried out without any prior access to the system.
Impact and Mitigation
The vulnerability exposes organizations to data breaches, service disruptions, and unauthorized access to IT support systems.
Attackers could exploit the flaw to access credential data, manipulate support tickets, or escalate their privileges within the affected network.
Halo ITSM has since released a patch addressing the issue, but researchers warn that deeper problems remain in the codebase related to post-authentication attack surfaces.
Wider use of strict typing, input validation, and parameterized SQL queries could have prevented this and other potential vulnerabilities.
Recommendations
Organizations using Halo ITSM should immediately:
- Apply the latest security patch provided by Halo ITSM.
- Audit their systems for signs of exploitation, particularly unusual API requests or database queries.
- Incorporate secure coding practices in software development, emphasizing ORM, data sanitization, and input validation.
While Halo ITSM remains an essential tool for IT support management, this vulnerability highlights the importance of proactive security audits and robust software design to mitigate potential risks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
.webp?w=1200&resize=1200,0&ssl=1&description=The vulnerability, which allows attackers to inject malicious SQL code, poses a significant threat to organizations relying on the software.){kind=link}