OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] MHL-2006-002 Public Advisory: "Call-Center-Software" Multiple Security Issues

From: Mayhemic Labs Security (securitymayhemiclabs.com)
Date: Wed Oct 11 2006 - 21:48:06 CDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MHL-2006-002 - Public Advisory

+-----------------------------------------------------------+
| Call-Center-Software Multiple Security Issues |
+-----------------------------------------------------------+

PUBLISHED ON
  October 11th, 2006

PUBLISHED AT
  http://www.mayhemiclabs.com/advisories/MHL-2006-002.txt
  http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006002

PUBLISHED BY
  Mayhemic Labs
  http://www.mayhemiclabs.com

  security AT mayhemiclabs DOT com
  GPG key: 0x56143F84

APPLICATION
  call-center software
  http://www.call-center-software.org/

  "call-center-software is a free open-source application
  released under the GPL"

AFFECTED VERSIONS
  Versions 0.93 and below

ISSUES
  Call-Center-Software is vulnerable to multiple SQL
  injection attacks and XSS under certain conditons,
  along with privilege escalation.

        1) XSS
        Call-Center-Software does not escape data when handling
        it allowing malicious javascript data to be inserted by
        any user.This is only when Magic Quotes is disabled
        within PHP.
        
        Example:
        A user entering <script>alert("Moo!");</script> into
        the problem description field when submitting the
        problem, will cause the javascript to be executed
        upon viewing or editting the problem.
        
        2) SQL Injection
        Call-Center-Software does not escape data when handling
        it allowing malicious users to inject SQL commands into
        the database. This is only when Magic Quotes is
        disabled within PHP.
        
        Example: By logging into the system with the user
        "'or 1=1 or 1='" the attacker is let into the system with
        full administrative privileges.
        
        3) Privilege Escalation and Password Disclosure
        Call-Center-Software does not check access privileges
        when bringing up the "edit user" screen. This, also
        combined with the lack of hashed password, discloses
        any user on the system's password, username, and other
        information stored within the database.
        
        Example: When logged in as a non administrative user
        a user can go to edit_user.php?user_id=1 and view the
        default admin account's password. Changing the
        user_id variable discloses the corresponding account's
        data.
        

WORKAROUNDS
        Enabling Magic Quotes will negate the XSS and SQL
        injection attacks on affected systems.

SOLUTIONS
        None at this time

REFERENCES
        call-center software - http://www.call-center-software.org/

TIMELINE
        September 25th, 2006
                Vendor/Developer Notified
                Vendor/Developer Response Recieved
                Vendor/Developer Questioned on Patch Availability
                No response
        October 3rd, 2006
                Vendor Followup
                Vendor/Developer Response Recieved
                Vendor/Developer Questioned on Patch Availability
                No response
                                
ADDITIONAL CREDIT
  N/A

LICENSE
  Creative Commons Attribution-ShareAlike License
  http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFLazmzjnMaVYUP4QRAjMLAJwPkXBBfIjxcROLm+w4NgxPi+1XZQCgpW/F
jz7P+B+SzCkde2WZOtAXFxE=
=Gth+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/