TUCoPS :: Phreaking General Information :: b06-5180.htm

Call-Center-Software Multiple Security Issues
MHL-2006-002 Public Advisory: "Call-Center-Software" Multiple Security Issues
MHL-2006-002 Public Advisory: "Call-Center-Software" Multiple Security Issues


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MHL-2006-002 - Public Advisory

+-----------------------------------------------------------+
|    Call-Center-Software Multiple Security Issues          |
+-----------------------------------------------------------+


PUBLISHED ON
  October 11th, 2006


PUBLISHED AT
http://www.mayhemiclabs.com/advisories/MHL-2006-002.txt 
http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006002 


PUBLISHED BY
  Mayhemic Labs
http://www.mayhemiclabs.com 

  security AT mayhemiclabs DOT com
  GPG key: 0x56143F84


APPLICATION
  call-center software
http://www.call-center-software.org/ 

  "call-center-software is a free open-source application
  released under the GPL"


AFFECTED VERSIONS
  Versions 0.93 and below


ISSUES
  Call-Center-Software is vulnerable to multiple SQL
  injection attacks and XSS under certain conditons,
  along with privilege escalation.

	1) XSS
	Call-Center-Software does not escape data when handling
	it allowing malicious javascript data to be inserted by
	any user.This is only when Magic Quotes is disabled
	within PHP.
	
	Example:
	A user entering  into
	the problem description field when submitting the
	problem, will cause the javascript to be executed
	upon viewing or editting the problem.
	
	2) SQL Injection
	Call-Center-Software does not escape data when handling
	it allowing malicious users to inject SQL commands into
	the database. This is only when Magic Quotes is
	disabled within PHP.
	
	Example: By logging into the system with the user
	"'or 1=1 or 1='" the attacker is let into the system with
	full administrative privileges.
	
	3) Privilege Escalation and Password Disclosure
	Call-Center-Software does not check access privileges
	when bringing up the "edit user" screen. This, also
	combined with the lack of hashed password, discloses
	any user on the system's password, username, and other
	information stored within the database.
	
	Example: When logged in as a non administrative user
	a user can go to edit_user.php?user_id=1 and view the
	default admin account's password. Changing the
	user_id variable discloses the corresponding account's
	data.
	

WORKAROUNDS
	Enabling Magic Quotes will negate the XSS and SQL
	injection attacks on affected systems.


SOLUTIONS
	None at this time


REFERENCES
call-center software - http://www.call-center-software.org/ 


TIMELINE
	September 25th, 2006
		Vendor/Developer Notified
		Vendor/Developer Response Recieved
		Vendor/Developer Questioned on Patch Availability
		No response
	October 3rd, 2006
		Vendor Followup
		Vendor/Developer Response Recieved
		Vendor/Developer Questioned on Patch Availability
		No response
				
ADDITIONAL CREDIT
  N/A

LICENSE
  Creative Commons Attribution-ShareAlike License
http://creativecommons.org/licenses/by-sa/2.5 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org 

iD8DBQFFLazmzjnMaVYUP4QRAjMLAJwPkXBBfIjxcROLm+w4NgxPi+1XZQCgpW/F
jz7P+B+SzCkde2WZOtAXFxE=Gth+
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH