Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14649
HistoryOct 12, 2006 - 12:00 a.m.

[Full-disclosure] MHL-2006-002 Public Advisory: "Call-Center-Software" Multiple Security Issues

2006-10-1200:00:00
vulners.com
45

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MHL-2006-002 - Public Advisory

±----------------------------------------------------------+
| Call-Center-Software Multiple Security Issues |
±----------------------------------------------------------+

PUBLISHED ON
October 11th, 2006

PUBLISHED AT
http://www.mayhemiclabs.com/advisories/MHL-2006-002.txt
http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006002

PUBLISHED BY
Mayhemic Labs
http://www.mayhemiclabs.com

security AT mayhemiclabs DOT com
GPG key: 0x56143F84

APPLICATION
call-center software
http://www.call-center-software.org/

"call-center-software is a free open-source application
released under the GPL"

AFFECTED VERSIONS
Versions 0.93 and below

ISSUES
Call-Center-Software is vulnerable to multiple SQL
injection attacks and XSS under certain conditons,
along with privilege escalation.

    1) XSS
    Call-Center-Software does not escape data when handling
    it allowing malicious javascript data to be inserted by
    any user.This is only when Magic Quotes is disabled
    within PHP.
    
    Example:
    A user entering <script>alert("Moo!");</script> into
    the problem description field when submitting the
    problem, will cause the javascript to be executed
    upon viewing or editting the problem.
    
    2) SQL Injection
    Call-Center-Software does not escape data when handling
    it allowing malicious users to inject SQL commands into
    the database. This is only when Magic Quotes is
    disabled within PHP.
    
    Example: By logging into the system with the user
    "'or 1=1 or 1='" the attacker is let into the system with
    full administrative privileges.
    
    3) Privilege Escalation and Password Disclosure
    Call-Center-Software does not check access privileges
    when bringing up the "edit user" screen. This, also
    combined with the lack of hashed password, discloses
    any user on the system's password, username, and other
    information stored within the database.
    
    Example: When logged in as a non administrative user
    a user can go to edit_user.php?user_id=1 and view the
    default admin account's password. Changing the
    user_id variable discloses the corresponding account's
    data.

WORKAROUNDS
Enabling Magic Quotes will negate the XSS and SQL
injection attacks on affected systems.

SOLUTIONS
None at this time

REFERENCES
call-center software - http://www.call-center-software.org/

TIMELINE
September 25th, 2006
Vendor/Developer Notified
Vendor/Developer Response Recieved
Vendor/Developer Questioned on Patch Availability
No response
October 3rd, 2006
Vendor Followup
Vendor/Developer Response Recieved
Vendor/Developer Questioned on Patch Availability
No response

ADDITIONAL CREDIT
N/A

LICENSE
Creative Commons Attribution-ShareAlike License
http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFLazmzjnMaVYUP4QRAjMLAJwPkXBBfIjxcROLm+w4NgxPi+1XZQCgpW/F
jz7P+B+SzCkde2WZOtAXFxE=
=Gth+
-----END PGP SIGNATURE-----


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/