-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2010-1583
Vendor notified and product update released.
Details of this report are also available at
http://www.madirish.net/?article=456
Description of Vulnerability:
The Tirzen Framework (http://www.tirzen.net/tzn/) is a supporting API
developed by Tirzen (http://www.tirzen.com), an intranet and internet
solutions provider. The Tirzen Framework contains a SQL injection
vulnerability (http://www.owasp.org/index.php/SQL_Injection). This
vulnerability could allow an attacker to arbitrarily manipulate SQL
strings constructed using the library. This vulnerability manifests
itself most notably in the Task Freak (http://www.taskfreak.com/) open
source task management software. The vulnerability can be exploited to
bypass authentication and gain administrative access to the Task Freak
system.
Systems affected:
Task Freak Multi User / mySQL v0.6.2 with Tirzen Framework 1.5 was
tested and shown to be vulnerable.
Impact
Attackers could manipulate database query strings resulting in
information disclosure, data destruction, authentication bypass, etc.
Technical discussion and proof of concept:
Tirzen Framework class TznDbConnection in the function loadByKey()
(tzn_mysql.php line 605) manifests a SQL injection vulnerability because
it fails to sanitize user supplied input used to compose SQL statements.
Proof of concept: any user can log into TaskFreak as the administrator
simply by using the username "1' or 1='1"
Vendor response:
Upgrade to the latest version of TaskFreak.
Justin C. Klein Keane
http://www.MadIrish.net
The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iPwEAQECAAYFAkvZkBcACgkQkSlsbLsN1gCGigcAkzmJCFyLWGJwM+MSm73YKPMq
NDPDzQZUdMZY9YpDWauL7GThIg6y8jfXd4NNdmIZ9yYr+ko7g7hFT4EnkKDlokj9
PVmZBIgysIycECu+XbcvJlNJLxE1g6rHHsSdvo0vn8mnDQeLWoALWrhaR661S4Ok
3Yel45wQNly2Y4b82lEL1/myLWwqoPP/zspM0Sm21mTCWStfCX0QCyZGYNUmlccI
2ci/7gT8tBNjWR3OAsznyIMi345IPAMMCfa6UDKKkv/wJCIwab4vxx/C+SGViDh8
of2kOYgowgmputYKeso=
=RMcJ
-----END PGP SIGNATURE-----