Horrible security by design
Reviewed byUSA IT Professionalon Fri, 15th June 2012
Trouble Ticket Express is built from the ground up with no intention for security.
There are too many issues to list them all, so below are a few. The software allows:
the software stores config data in non-code bearing ".cgi" files, and constantly rewrites those files (even with MySQL module in use)
server side configs can have data injected into them by any software or person capable of generating a URL (no auth required)
anyone smart enough to edit their local computer's host file to "hack" a new domain name into a TTX config
the install program itself says to install data files and directory with 777 perms in UNIX
...
the list goes on forever
This software is only useful for internal use, and only then if you blindly trust every one of the users and systems capable of communicating with this software.
eastwright
Fri, 28th December 2012
Horrible review (by intention?)
Yes, the software keeps data in *.cgi files to ensure that nobody can access the files by accessing them via browser, even if a customer does not follow setup wizard recommendations and places data files under web root directory. Try to open such file, and all you get is internal server error.
"Server side configs can have data injected" - it would be a severe vulnerability... if it existed. And even worse: assuming that the vulnerability exists, posting hints instead of contacting developer of the open source software does not seem to be professional to begin with...
Anyone can "hack" domain name by editing local hosts file? Sure. But the config file will be "re-hacked" back instantly, by anyone "not smart enough to edit local hosts file". So, what is the point? Sending an email with wrong link? But why not just send legitimate-looking email from your account? Less work and guaranteed result.
"the list goes on forever" - why not use our help desk or web forum to submit the list? We all know that there is no such thing as vulnerability-free software. For non-believers I suggest subscribing to CVE or just to RedHat/Ubuntu security notifications. All those lists are result of work of true professionals, the guys who want to make Internet more secure place by reporting bugs and vulnerabilities to authors.
Sincerely,
Alex Pavlov