A security exploit has been reported that demonstrates the viewing of some helpdesk content without an active session. Please upgrade to 4.0 (Build 600) as soon as possible to correct this important issue.

The flaw has to do with how we authenticate controllers (the first ‘/slash’ commands in the application, like ‘/display’ or ‘/kb’) that aren’t standard helpdesk pages. Pages that you can access from the menu handle security inherently, but functionality that doesn’t tie into the web interface (like ‘/cron’, which is secured by IP addresses) has to handle its own authentication based on the use case.

This preliminary patch addresses the reported issue directly. We’re going to run a full audit through the code to ensure other functionality isn’t susceptible to this same flaw.

If you use Subversion to update Cerberus Helpdesk 4.0 (and you really should be), you can simply issue the console command “svn update -r 600” from your /cerb4 directory on a Unix-based server. If you use Windows, you can use a graphical client like TortoiseSVN to ‘Update to Revision‘ 600 from the right-click menu.

After the code audit, I’ll do a follow-up post this afternoon on the blog with other security considerations. For example, if you wrap your helpdesk URL in HTTP Authentication from the webserver you can add another layer of protection. You’d just need to make sure your cronjob/task (using something like wget) is using the HTTP Authentication. I’ll explain how to do that in my next post.

(We’ll be upgrading all our hosted helpdesks immediately.)