[Full-disclosure] MHL-2006-002 Public Advisory: "Call-Center-Software" Multiple Security Issues

2006-10-12T00:00:00
ID SECURITYVULNS:DOC:14649
Type securityvulns
Reporter Securityvulns
Modified 2006-10-12T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

MHL-2006-002 - Public Advisory

+-----------------------------------------------------------+ | Call-Center-Software Multiple Security Issues | +-----------------------------------------------------------+

PUBLISHED ON October 11th, 2006

PUBLISHED AT http://www.mayhemiclabs.com/advisories/MHL-2006-002.txt http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006002

PUBLISHED BY Mayhemic Labs http://www.mayhemiclabs.com

security AT mayhemiclabs DOT com GPG key: 0x56143F84

APPLICATION call-center software http://www.call-center-software.org/

"call-center-software is a free open-source application released under the GPL"

AFFECTED VERSIONS Versions 0.93 and below

ISSUES Call-Center-Software is vulnerable to multiple SQL injection attacks and XSS under certain conditons, along with privilege escalation.

    1) XSS
    Call-Center-Software does not escape data when handling
    it allowing malicious javascript data to be inserted by
    any user.This is only when Magic Quotes is disabled
    within PHP.

    Example:
    A user entering <script>alert("Moo!");</script> into
    the problem description field when submitting the
    problem, will cause the javascript to be executed
    upon viewing or editting the problem.

    2) SQL Injection
    Call-Center-Software does not escape data when handling
    it allowing malicious users to inject SQL commands into
    the database. This is only when Magic Quotes is
    disabled within PHP.

    Example: By logging into the system with the user
    "'or 1=1 or 1='" the attacker is let into the system with
    full administrative privileges.

    3) Privilege Escalation and Password Disclosure
    Call-Center-Software does not check access privileges
    when bringing up the "edit user" screen. This, also
    combined with the lack of hashed password, discloses
    any user on the system's password, username, and other
    information stored within the database.

    Example: When logged in as a non administrative user
    a user can go to edit_user.php?user_id=1 and view the
    default admin account's password. Changing the
    user_id variable discloses the corresponding account's
    data.

WORKAROUNDS Enabling Magic Quotes will negate the XSS and SQL injection attacks on affected systems.

SOLUTIONS None at this time

REFERENCES call-center software - http://www.call-center-software.org/

TIMELINE September 25th, 2006 Vendor/Developer Notified Vendor/Developer Response Recieved Vendor/Developer Questioned on Patch Availability No response October 3rd, 2006 Vendor Followup Vendor/Developer Response Recieved Vendor/Developer Questioned on Patch Availability No response

ADDITIONAL CREDIT N/A

LICENSE Creative Commons Attribution-ShareAlike License http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFLazmzjnMaVYUP4QRAjMLAJwPkXBBfIjxcROLm+w4NgxPi+1XZQCgpW/F jz7P+B+SzCkde2WZOtAXFxE= =Gth+ -----END PGP SIGNATURE-----


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/