1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176 | # Title : GoAutoDial CE 3.3 Multiple SQL injections, Command Injection
# Date : 06/12/2015
# Author : R-73eN
# Tested on : goautodial-32bit-ce-3.3-final
# Software : http://goautodial.org/
# ___ __ ____ _ _
# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |
# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |
# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___
# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|
#
Vulnerabilities
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
call_report_export.php
Line 131
$LOGip = getenv("REMOTE_ADDR");
$LOGbrowser = getenv("HTTP_USER_AGENT");
$LOGscript_name = getenv("SCRIPT_NAME");
$LOGserver_name = getenv("SERVER_NAME");
$LOGserver_port = getenv("SERVER_PORT");
$LOGrequest_uri = getenv("REQUEST_URI");
$LOGhttp_referer = getenv("HTTP_REFERER");
if (preg_match("/443/i",$LOGserver_port)) {$HTTPprotocol = 'https://';}
else {$HTTPprotocol = 'http://';}
if (($LOGserver_port == '80') or ($LOGserver_port == '443') ) {$LOGserver_port='';}
else {$LOGserver_port = ":$LOGserver_port";}
$LOGfull_url = "$HTTPprotocol$LOGserver_name$LOGserver_port$LOGrequest_uri";
$stmt="INSERT INTO vicidial_report_log set event_date=NOW(), user='$PHP_AUTH_USER', ip_address='$LOGip', report_name='$report_name', browser='$LOGbrowser', referer='$LOGhttp_referer', notes='$LOGserver_name:$LOGserver_port $LOGscript_name |$campaign[0], $query_date, $end_date|', url='$LOGfull_url';";
The $LOGip , $LOGbrowser etc are not sanitized are passed directly to a sql query.
For example passing a crafted User-Agent header will cause a sql injection attack.
The following files were vulnerable for the same vulnerability.
call_report_export.php
voice_lab.php
user_status.php
user_stats.php
timeclock_status.php
timeclock_report.php
sph_report.php
group_hourly_stats.php
realtime_report.php
lead_report_export.php
list_download.php
fcstats.php
call_report_export.php
AST_VICIDIAL_ingrouplist.php
AST_VICIDIAL_hopperlist.php
AST_usergroup_login_report.php
AST_team_performance_detail.php
AST_VDADstats.php
AST_server_performance.php
campaign_debug.php
AST_LIST_UPDATEstats.php
AST_LISTS_campaign_stats.php
AST_OUTBOUNDsummary_interval.php
AST_IVRstats.php
AST_IVRfilter.php
AST_inbound_daily_report.php
and in many other files.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
web_form_forward.php
Line 15
if (isset($_GET["user"])) {$user=$_GET["user"];}
require("dbconnect.php");
$stmt="SELECT full_name from vicidial_users where user='$user';";
$rslt=mysql_query($stmt, $link);
$row=mysql_fetch_row($rslt);
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
QM_live_monitor.php
If the QueueMetrics is enabled the following file is vulnerable to sql injection
. LINE 31
if (isset($_GET["call"])){$call=$_GET["call"];}
elseif (isset($_POST["call"])) {$call=$_POST["call"];}
.
.
.
$stmt = "SELECT user,server_ip,conf_exten,comments FROM vicidial_live_agents where callerid='$call';";
As u can see the $call parameter is not sanitized which leads to Sql injection.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
call_log_display.php SQL injection
there is no validation on the $server_ip and $session_name an
if( (strlen($server_ip)<6) or (!isset($server_ip)) or ( (strlen($session_name)<12) or (!isset($session_name)) ) )
.
.
$stmt="SELECT count(*) from web_client_sessions where session_name='$session_name' and server_ip='$server_ip';";
.
.
The if statement can be bypassed very easily, we need to provide an input more then 6 characters and more then 12 characters.
Then the parameters get passed ot the sql query and we have sql injection again.
The same vulnerability was found to.
conf_extn_check.php
inbound_popup.php
live_extn_check.php
manager_send.php
park_calls_display.php
active_list_refresh.php
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SCRIPT_multirecording_AJAX.php SQL injection
.
.
.
if (isset($_GET["campaign"])) {$campaign=$_GET["campaign"];}
elseif (isset($_POST["campaign"])) {$campaign=$_POST["campaign"];}
.
.
.
$stmt="select campaign_rec_filename from vicidial_campaigns where campaign_id='$campaign'";
Again $campaign is not sanetized
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
recording_lookup.php SQL injection
.
.
(isset($_GET["QUERY_recid"])) {$QUERY_recid=$_GET["QUERY_recid"];}
elseif (isset($_POST["QUERY_recid"])) {$QUERY_recid=$_POST["QUERY_recid"];}
.
.
$stmt="select recording_id,lead_id,user,filename,location,start_time,length_in_sec from recording_log where filename LIKE \"%$QUERY_recid%\" order by recording_id desc LIMIT 1;";
$QUERY_recid is not sanitized.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
vicidial_sales_viewer.php SQL injection , Command Injection
the $dcampaign parameter is not sanitized.
.
.
if (isset($_GET["dcampaign"])) {$dcampaign=$_GET["dcampaign"];}
elseif (isset($_POST["dcampaign"])) {$dcampaign=$_POST["dcampaign"];}
.
.
$stmt="select campaign_id, campaign_name from vicidial_campaigns where campaign_id='$dcampaign'"; // Here we have the sql injection
.
.
passthru("$WeBServeRRooT/vicidial/spreadsheet_sales_viewer.pl $list_ids $sales_number $timestamp $forc $now $dcampaign"); // Command injection
https://www.infogen.al/ - Infogen AL
|