Bug #2387
closed
mysql injection attack in goautoidal
100%
Description
Hi goautodial team
seems there is a loop hole in goautodial script
which leads hacker to establish mysql injection attack and make way to login as admin.
below is the url of mysql injection attack
https://server_ip_address/go_login/validate_credentials/admin/'OR '1'='1
once above command executed, the hacker just login as admin without password with below URL
http://server_ip_address/go_login/
actual post
http://goautodial.org/boards/1/topics/8735
thanks to Alexandr Ababii for pointing this bug
br
striker
www.striker24x7.blogspot.com
Updated by Steve Austin over 8 years ago
You should upgrade to the latest available version of GoAutodial v3.3.
This issue has been identified and reported in early 2015 (CVE-2015-2843) with an appropriate fix. You will need to update to, at a minimum, version 3.3-1421902800.
I suggest you remind him to review his software patching lifecycle to ensure all software is updated to the latest version on production systems to reduce the likelihood of exposure.
Updated by faizal shaikh about 8 years ago
Hello
I have install goautodial 3.3 on Virtual box.
Installation is done successfully but when i open the ip on browser it is not connecting to the IP
Please help
Updated by Levy Ryan Nolasco about 8 years ago
- Assignee changed from Demian Biscocho to striker 247
- % Done changed from 0 to 100
faizal shaikh wrote:
Hello
I have install goautodial 3.3 on Virtual box.
Installation is done successfully but when i open the ip on browser it is not connecting to the IP
Please help
Faizal, Don't barge to other issue thread. This issue/bug tracker is meant for bugs, feature request and issues related to the GOautodial CE ISO, system installation and the GOautodial applications (GOadmin, GOreports and GOagent). To get help from the community, please post your concerns in our forum board at http://goautodial.org/projects/goautodialce/boards
Updated by Levy Ryan Nolasco almost 8 years ago
- Status changed from New to Closed