Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23727
HistoryApr 30, 2010 - 12:00 a.m.

TaskFreak 0.6.2 SQL Injection Vulnerability

2010-04-3000:00:00
vulners.com
20

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2010-1583

Vendor notified and product update released.
Details of this report are also available at
http://www.madirish.net/?article=456

Description of Vulnerability:


The Tirzen Framework (http://www.tirzen.net/tzn/) is a supporting API
developed by Tirzen (http://www.tirzen.com), an intranet and internet
solutions provider. The Tirzen Framework contains a SQL injection
vulnerability (http://www.owasp.org/index.php/SQL_Injection). This
vulnerability could allow an attacker to arbitrarily manipulate SQL
strings constructed using the library. This vulnerability manifests
itself most notably in the Task Freak (http://www.taskfreak.com/) open
source task management software. The vulnerability can be exploited to
bypass authentication and gain administrative access to the Task Freak
system.

Systems affected:


Task Freak Multi User / mySQL v0.6.2 with Tirzen Framework 1.5 was
tested and shown to be vulnerable.

Impact


Attackers could manipulate database query strings resulting in
information disclosure, data destruction, authentication bypass, etc.

Technical discussion and proof of concept:


Tirzen Framework class TznDbConnection in the function loadByKey()
(tzn_mysql.php line 605) manifests a SQL injection vulnerability because
it fails to sanitize user supplied input used to compose SQL statements.

Proof of concept: any user can log into TaskFreak as the administrator
simply by using the username "1' or 1='1"

Vendor response:


Upgrade to the latest version of TaskFreak.


Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkvZkBcACgkQkSlsbLsN1gCGigcAkzmJCFyLWGJwM+MSm73YKPMq
NDPDzQZUdMZY9YpDWauL7GThIg6y8jfXd4NNdmIZ9yYr+ko7g7hFT4EnkKDlokj9
PVmZBIgysIycECu+XbcvJlNJLxE1g6rHHsSdvo0vn8mnDQeLWoALWrhaR661S4Ok
3Yel45wQNly2Y4b82lEL1/myLWwqoPP/zspM0Sm21mTCWStfCX0QCyZGYNUmlccI
2ci/7gT8tBNjWR3OAsznyIMi345IPAMMCfa6UDKKkv/wJCIwab4vxx/C+SGViDh8
of2kOYgowgmputYKeso=
=RMcJ
-----END PGP SIGNATURE-----

Related for SECURITYVULNS:DOC:23727