TaskFreak 0.6.2 SQL Injection Vulnerability
Posted on 29 April 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>TaskFreak 0.6.2 SQL Injection Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=========================================== TaskFreak 0.6.2 SQL Injection Vulnerability =========================================== Description of Vulnerability: - ------------------------------ The Tirzen Framework (http://www.tirzen.net/tzn/) is a supporting API developed by Tirzen (http://www.tirzen.com), an intranet and internet solutions provider. The Tirzen Framework contains a SQL injection vulnerability (http://www.owasp.org/index.php/SQL_Injection). This vulnerability could allow an attacker to arbitrarily manipulate SQL strings constructed using the library. This vulnerability manifests itself most notably in the Task Freak (http://www.taskfreak.com/) open source task management software. The vulnerability can be exploited to bypass authentication and gain administrative access to the Task Freak system. Systems affected: - ------------------ Task Freak Multi User / mySQL v0.6.2 with Tirzen Framework 1.5 was tested and shown to be vulnerable. Impact - ------- Attackers could manipulate database query strings resulting in information disclosure, data destruction, authentication bypass, etc. Technical discussion and proof of concept: - ------------------------------------------- Tirzen Framework class TznDbConnection in the function loadByKey() (tzn_mysql.php line 605) manifests a SQL injection vulnerability because it fails to sanitize user supplied input used to compose SQL statements. Proof of concept: any user can log into TaskFreak as the administrator simply by using the username "1' or 1='1" Vendor response: - ---------------- Upgrade to the latest version of TaskFreak. # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-04-29]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
