omaia
Mensagens : 13 Data de inscrição : 19/05/2011
| Assunto: Falha grave de segurança do ocomon! Seg Jul 11, 2011 4:24 pm | |
| Pessoal, eu vi na pratica a exposiçao dessa falha http://seclists.org/bugtraq/2011/Apr/173 - Citação :
- [DCA-2011-0011]
[Discussion] - DcLabs Security Research Group advises about following vulnerability(ies):
[Software] - Ocomon
[Vendor Product Description] - The OCOMON came in March 2002 as a personal project of programmer Franque Custodio, with the initial characteristics of the registration, monitoring, control and consultation to support incidents and taking as the first user Centro Universitario La Salle (UNILASALLE). The starting at that time, the system was assumed by Flávio Ribeiro Support Analyst who has adopted the tool and since then has refined and implemented various features aiming to meet the practical issues, operational and managerial areas of technical support as Helpdesks and Service Desks (By Google Trasnlator)
- Souce: http://ocomonphp.sourceforge.net/
[Advisory Timeline] - 04/Mar/2011 -> First notification sent. - 29/Mar/2011 -> Second notification sent - 05/Apr/2011 -> Third notification sent - 18/Apr/2011 -> No vendor response - 18/Apr/2011 -> Advisory published.
[Bug Summary] - Multiple SQL Injection (SQLi)
[Impact] - High
[Affected Version] - Latest 2.0RC6 - Prior versions may also be affected
[Bug Description and Proof of Concept]
The proof of concept was demonstrated at WebSecurity Forum conference in SP - Brazil
se vcs tem ocomon na empresa rodando em produçao cuidado! aqui como estou usando pra teste se der algum problema nao tem tanto impacto, se alguem tem o ocomon aberto na internet fique atento, pois a falha permite ao atacante dar acesso ao admin ou qualquer usuario do ocomon. | |
|