Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26161
HistoryApr 19, 2011 - 12:00 a.m.

[DCA-2011-0011] - Ocomon Multiple SQL Injection

2011-04-1900:00:00
vulners.com
36

[DCA-2011-0011]

[Discussion]

  • DcLabs Security Research Group advises about following vulnerability(ies):

[Software]

  • Ocomon

[Vendor Product Description]

  • The OCOMON came in March 2002 as a personal project of programmer
    Franque Custodio, with the initial characteristics
    of the registration, monitoring, control and consultation to support
    incidents and taking as the first user
    Centro Universitario La Salle (UNILASALLE). The starting at that time,
    the system was assumed by FlΓ‘vio Ribeiro Support Analyst who has adopted
    the tool and since then has refined and implemented various features
    aiming to meet the practical issues, operational and managerial
    areas of technical support as Helpdesks and Service Desks (By Google Trasnlator)

  • Souce: http://ocomonphp.sourceforge.net/

[Advisory Timeline]

  • 04/Mar/2011 -> First notification sent.
  • 29/Mar/2011 -> Second notification sent
  • 05/Apr/2011 -> Third notification sent
  • 18/Apr/2011 -> No vendor response
  • 18/Apr/2011 -> Advisory published.

[Bug Summary]

  • Multiple SQL Injection (SQLi)

[Impact]

  • High

[Affected Version]

  • Latest 2.0RC6
  • Prior versions may also be affected

[Bug Description and Proof of Concept]

The proof of concept was demonstrated at WebSecurity Forum conference
in SP - Brazil


All flaws described here were discovered and researched by:
Ewerson Guimaraes aka Crash.
Rodrigo Escobar aka Ipax.
Rener Alberto aka Gr1nch.
This research was conducted in partnership with Emanuel do Reis -
@emanueldosreis

DcLabs Security Research Group

[Workarounds]

  • No Workaround

[Credits]
DcLabs Security Research Group.

–
Ewerson Guimaraes (Crash)
Pentester/Researcher
DcLabs Security Team
www.dclabs.com.br