# Title: [SQL injection vulnerability in LiveChatNow] # Date: [20.02.2010] # Author: [Ariko-Security] # Software Link: [http://www.livechatnow.com/] # Version: [ALL] # Tested on: [freebsd / ubuntu] ============ { Ariko-Security - Advisory #4/2/2010 } ============= SQL injection vulnerability in LiveChatNow Vendor's Description of Software: # http://www.livechatnow.com/ #demo http://zebra.livechatnow.com/js/enter.php?cid=7546&skin=&survey=&survey_ec =&survey_lm=&group=On-Duty+Techs Dork: #Powered by www.LiveChatNow.com Application Info: # Name: LiveChatNow.com # Versions: ALL Vulnerability Info: # Type: SQL injection Vulnerability # Risk: Medium Time Table: # 20/02/2010 - Vendor notified. # 21/02/2010 - Fixed Input passed via the "cid" parameter to index.php (admim panel) is not properly sanitised before being used in a SQL query. Solution: # Input validation of "cid" parameter should be corrected. Vulnerability: # http://[site]/js/enter.php?cid=7546[SQLi]&skin=&survey=&survey_ec=&survey_ lm=&group=On-Duty+Techs Credit: # Discoverd By: MG # Website: http://Ariko-security.com # Contacts: support[-at-]ariko-security.com Ariko-Security Maciej Gojny support@ariko-security.com tel.: +48512946012 (Mo-Fr 10.00-20.00 CET)