lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 18 Apr 2011 21:38:37 -0300
From: Ewerson Guimarães (Crash) - Dclabs <crash@...abs.com.br>
To: bugtraq@...urityfocus.com
Subject: [DCA-2011-0011] - Ocomon Multiple SQL Injection

[DCA-2011-0011]

[Discussion]
- DcLabs Security Research Group advises about following vulnerability(ies):

[Software]
- Ocomon

[Vendor Product Description]
- The OCOMON came in March 2002 as a personal project of programmer
Franque Custodio, with the initial characteristics
of the registration, monitoring, control and consultation to support
incidents and taking as the first user
Centro Universitario La Salle (UNILASALLE). The starting at that time,
the system was assumed by Flávio Ribeiro Support Analyst who has adopted
the tool and since then has refined and implemented various features
aiming to meet the practical issues, operational and managerial
areas of technical support as Helpdesks and Service Desks (By Google Trasnlator)

- Souce: http://ocomonphp.sourceforge.net/

[Advisory Timeline]
- 04/Mar/2011 -> First notification sent.
- 29/Mar/2011 -> Second notification sent
- 05/Apr/2011 -> Third notification sent
- 18/Apr/2011 -> No vendor response
- 18/Apr/2011 -> Advisory published.

[Bug Summary]
- Multiple SQL Injection (SQLi)

[Impact]
- High

[Affected Version]
- Latest 2.0RC6
- Prior versions may also be affected

[Bug Description and Proof of Concept]

The proof of concept was demonstrated at WebSecurity Forum conference
in SP - Brazil

------------------------------------------------------------------------

All flaws described here were discovered and researched by:
Ewerson Guimaraes aka Crash.
Rodrigo Escobar aka Ipax.
Rener Alberto aka Gr1nch.
This research was conducted in partnership with Emanuel do Reis -
@emanueldosreis

DcLabs Security Research Group

[Workarounds]
- No Workaround

[Credits]
DcLabs Security Research Group.


--
Ewerson Guimaraes (Crash)
Pentester/Researcher
DcLabs Security Team
www.dclabs.com.br

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ