MHL-2006-002 Public Advisory: "Call-Center-Software" Multiple Security Issues

PUBLISHED ON
October 11th, 2006

PUBLISHED AT
http://www.mayhemiclabs.com/advisories/MHL-2006-002.txt
http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006002

PUBLISHED BY
Mayhemic Labs
http://www.mayhemiclabs.com

security AT mayhemiclabs DOT com
GPG key: 0x56143F84

APPLICATION
call-center software
http://www.call-center-software.org/

"call-center-software is a free open-source application
released under the GPL"

AFFECTED VERSIONS
Versions 0.93 and below

ISSUES
Call-Center-Software is vulnerable to multiple SQL
injection attacks and XSS under certain conditons,
along with privilege escalation.

1) XSS
Call-Center-Software does not escape data when handling
it allowing malicious javascript data to be inserted by
any user.This is only when Magic Quotes is disabled
within PHP.

Example:
A user entering alert("Moo!"); into
the problem description field when submitting the
problem, will cause the javascript to be executed
upon viewing or editting the problem.

2) SQL Injection
Call-Center-Software does not escape data when handling
it allowing malicious users to inject SQL commands into
the database. This is only when Magic Quotes is
disabled within PHP.

Example: By logging into the system with the user
"'or 1=1 or 1='" the attacker is let into the system with
full administrative privileges.

3) Privilege Escalation and Password Disclosure
Call-Center-Software does not check access privileges
when bringing up the "edit user" screen. This, also
combined with the lack of hashed password, discloses
any user on the system's password, username, and other
information stored within the database.

Example: When logged in as a non administrative user
a user can go to edit_user.php?user_id=1 and view the
default admin account's password. Changing the
user_id variable discloses the corresponding account's
data.

WORKAROUNDS
Enabling Magic Quotes will negate the XSS and SQL
injection attacks on affected systems.

SOLUTIONS
None at this time

REFERENCES
call-center software - http://www.call-center-software.org/

TIMELINE
September 25th, 2006
Vendor/Developer Notified
Vendor/Developer Response Recieved
Vendor/Developer Questioned on Patch Availability
No response
October 3rd, 2006
Vendor Followup
Vendor/Developer Response Recieved
Vendor/Developer Questioned on Patch Availability
No response

ADDITIONAL CREDIT
N/A

LICENSE
Creative Commons Attribution-ShareAlike License
http://creativecommons.org/licenses/by-sa/2.5