MHL-2006-002 Public Advisory: "Call-Center-Software" Multiple Security Issues

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: MHL-2006-002 Public Advisory: "Call-Center-Software" Multiple Security Issues
From: Mayhemic Labs Security <security@xxxxxxxxxxxxxxxx>
Date: Wed, 11 Oct 2006 22:48:06 -0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Mayhemic Labs
User-agent: Thunderbird 1.5.0.7 (Windows/20060909)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MHL-2006-002 - Public Advisory

+-----------------------------------------------------------+
|    Call-Center-Software Multiple Security Issues          |
+-----------------------------------------------------------+


PUBLISHED ON
  October 11th, 2006


PUBLISHED AT
  http://www.mayhemiclabs.com/advisories/MHL-2006-002.txt
  http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006002


PUBLISHED BY
  Mayhemic Labs
  http://www.mayhemiclabs.com

  security AT mayhemiclabs DOT com
  GPG key: 0x56143F84


APPLICATION
  call-center software
  http://www.call-center-software.org/

  "call-center-software is a free open-source application
  released under the GPL"


AFFECTED VERSIONS
  Versions 0.93 and below


ISSUES
  Call-Center-Software is vulnerable to multiple SQL
  injection attacks and XSS under certain conditons,
  along with privilege escalation.

        1) XSS
        Call-Center-Software does not escape data when handling
        it allowing malicious javascript data to be inserted by
        any user.This is only when Magic Quotes is disabled
        within PHP.
        
        Example:
        A user entering <script>alert("Moo!");</script> into
        the problem description field when submitting the
        problem, will cause the javascript to be executed
        upon viewing or editting the problem.
        
        2) SQL Injection
        Call-Center-Software does not escape data when handling
        it allowing malicious users to inject SQL commands into
        the database. This is only when Magic Quotes is
        disabled within PHP.
        
        Example: By logging into the system with the user
        "'or 1=1 or 1='" the attacker is let into the system with
        full administrative privileges.
        
        3) Privilege Escalation and Password Disclosure
        Call-Center-Software does not check access privileges
        when bringing up the "edit user" screen. This, also
        combined with the lack of hashed password, discloses
        any user on the system's password, username, and other
        information stored within the database.
        
        Example: When logged in as a non administrative user
        a user can go to edit_user.php?user_id=1 and view the
        default admin account's password. Changing the
        user_id variable discloses the corresponding account's
        data.
        

WORKAROUNDS
        Enabling Magic Quotes will negate the XSS and SQL
        injection attacks on affected systems.


SOLUTIONS
        None at this time


REFERENCES
        call-center software - http://www.call-center-software.org/


TIMELINE
        September 25th, 2006
                Vendor/Developer Notified
                Vendor/Developer Response Recieved
                Vendor/Developer Questioned on Patch Availability
                No response
        October 3rd, 2006
                Vendor Followup
                Vendor/Developer Response Recieved
                Vendor/Developer Questioned on Patch Availability
                No response
                                
ADDITIONAL CREDIT
  N/A

LICENSE
  Creative Commons Attribution-ShareAlike License
  http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFLazmzjnMaVYUP4QRAjMLAJwPkXBBfIjxcROLm+w4NgxPi+1XZQCgpW/F
jz7P+B+SzCkde2WZOtAXFxE=
=Gth+
-----END PGP SIGNATURE-----

Prev by Date: SecureWorks Research Client Advisory: Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability
Next by Date: XeoPort <= 0.81 SQL Injection Vulnerability
Previous by thread: SecureWorks Research Client Advisory: Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability
Next by thread: XeoPort <= 0.81 SQL Injection Vulnerability
Index(es):
- Date
- Thread