-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MHL-2006-002 - Public Advisory

+-----------------------------------------------------------+
|    Call-Center-Software Multiple Security Issues          |
+-----------------------------------------------------------+


PUBLISHED ON
  October 11th, 2006


PUBLISHED AT
  http://www.mayhemiclabs.com/advisories/MHL-2006-002.txt
  http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006002


PUBLISHED BY
  Mayhemic Labs
  http://www.mayhemiclabs.com

  security AT mayhemiclabs DOT com
  GPG key: 0x56143F84


APPLICATION
  call-center software
  http://www.call-center-software.org/

  "call-center-software is a free open-source application
  released under the GPL"


AFFECTED VERSIONS
  Versions 0.93 and below


ISSUES
  Call-Center-Software is vulnerable to multiple SQL
  injection attacks and XSS under certain conditons,
  along with privilege escalation.

  1) XSS
  Call-Center-Software does not escape data when handling
  it allowing malicious javascript data to be inserted by
  any user.This is only when Magic Quotes is disabled
  within PHP.
  
  Example:
  A user entering <script>alert("Moo!");</script> into
  the problem description field when submitting the
  problem, will cause the javascript to be executed
  upon viewing or editting the problem.
  
  2) SQL Injection
  Call-Center-Software does not escape data when handling
  it allowing malicious users to inject SQL commands into
  the database. This is only when Magic Quotes is
  disabled within PHP.
  
  Example: By logging into the system with the user
  "'or 1=1 or 1='" the attacker is let into the system with
  full administrative privileges.
  
  3) Privilege Escalation and Password Disclosure
  Call-Center-Software does not check access privileges
  when bringing up the "edit user" screen. This, also
  combined with the lack of hashed password, discloses
  any user on the system's password, username, and other
  information stored within the database.
  
  Example: When logged in as a non administrative user
  a user can go to edit_user.php?user_id=1 and view the
  default admin account's password. Changing the
  user_id variable discloses the corresponding account's
  data.
  

WORKAROUNDS
  Enabling Magic Quotes will negate the XSS and SQL
  injection attacks on affected systems.


SOLUTIONS
  None at this time


REFERENCES
  call-center software - http://www.call-center-software.org/


TIMELINE
  September 25th, 2006
    Vendor/Developer Notified
    Vendor/Developer Response Recieved
    Vendor/Developer Questioned on Patch Availability
    No response
  October 3rd, 2006
    Vendor Followup
    Vendor/Developer Response Recieved
    Vendor/Developer Questioned on Patch Availability
    No response
        
ADDITIONAL CREDIT
  N/A

LICENSE
  Creative Commons Attribution-ShareAlike License
  http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFLazmzjnMaVYUP4QRAjMLAJwPkXBBfIjxcROLm+w4NgxPi+1XZQCgpW/F
jz7P+B+SzCkde2WZOtAXFxE=
=Gth+
-----END PGP SIGNATURE-----