[<prev] [next>] [day] [month] [year] [list]
Message-id: <452DACE6.9080400@mayhemiclabs.com>
Date: Wed, 11 Oct 2006 22:48:06 -0400
From: Mayhemic Labs Security <security@...hemiclabs.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: MHL-2006-002 Public Advisory:
"Call-Center-Software" Multiple Security Issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MHL-2006-002 - Public Advisory
+-----------------------------------------------------------+
| Call-Center-Software Multiple Security Issues |
+-----------------------------------------------------------+
PUBLISHED ON
October 11th, 2006
PUBLISHED AT
http://www.mayhemiclabs.com/advisories/MHL-2006-002.txt
http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006002
PUBLISHED BY
Mayhemic Labs
http://www.mayhemiclabs.com
security AT mayhemiclabs DOT com
GPG key: 0x56143F84
APPLICATION
call-center software
http://www.call-center-software.org/
"call-center-software is a free open-source application
released under the GPL"
AFFECTED VERSIONS
Versions 0.93 and below
ISSUES
Call-Center-Software is vulnerable to multiple SQL
injection attacks and XSS under certain conditons,
along with privilege escalation.
1) XSS
Call-Center-Software does not escape data when handling
it allowing malicious javascript data to be inserted by
any user.This is only when Magic Quotes is disabled
within PHP.
Example:
A user entering <script>alert("Moo!");</script> into
the problem description field when submitting the
problem, will cause the javascript to be executed
upon viewing or editting the problem.
2) SQL Injection
Call-Center-Software does not escape data when handling
it allowing malicious users to inject SQL commands into
the database. This is only when Magic Quotes is
disabled within PHP.
Example: By logging into the system with the user
"'or 1=1 or 1='" the attacker is let into the system with
full administrative privileges.
3) Privilege Escalation and Password Disclosure
Call-Center-Software does not check access privileges
when bringing up the "edit user" screen. This, also
combined with the lack of hashed password, discloses
any user on the system's password, username, and other
information stored within the database.
Example: When logged in as a non administrative user
a user can go to edit_user.php?user_id=1 and view the
default admin account's password. Changing the
user_id variable discloses the corresponding account's
data.
WORKAROUNDS
Enabling Magic Quotes will negate the XSS and SQL
injection attacks on affected systems.
SOLUTIONS
None at this time
REFERENCES
call-center software - http://www.call-center-software.org/
TIMELINE
September 25th, 2006
Vendor/Developer Notified
Vendor/Developer Response Recieved
Vendor/Developer Questioned on Patch Availability
No response
October 3rd, 2006
Vendor Followup
Vendor/Developer Response Recieved
Vendor/Developer Questioned on Patch Availability
No response
ADDITIONAL CREDIT
N/A
LICENSE
Creative Commons Attribution-ShareAlike License
http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFLazmzjnMaVYUP4QRAjMLAJwPkXBBfIjxcROLm+w4NgxPi+1XZQCgpW/F
jz7P+B+SzCkde2WZOtAXFxE=
=Gth+
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists