vicidial.org

[mflorell]

ViciDial Group Security Alert 2009-05-22

There has been a security vulnerability posted on various websites that allows
access to the administrative section of the ViciDial Call Center Suite software.

The vulnerability only allows access to view a list of users and campaigns, but
if the exploiter tries to go into any of the detail screens they will be told
they do not have permission to view them.

This vulnerability is not present on default installations of the ViciDial Call
Center Suite, the system settings must be changed by the end user to allow for
non-latin characters in order for this vulnerability to be enabled. The quickest
way to deactivate this vulnerability is to disable non-latin characters in
ViciDial by changing the "Use Non-Latin" field in the Admin -> System Settings
screen to '0'.

The affected versions of ViciDial are the 2.0.5 release and earlier.

If you need to use non-latin characters, the following patch is available for
your systems:
http://www.eflo.net/vicidial/security_f ... 0522.patch

on your system simply run these commands:
$ cd /path/from/root/to/web/vicidial
$ wget http://www.eflo.net/vicidial/security_f ... 0522.patch
$ patch -p1 < ./security_fix_admin_20090522.patch
File to patch: admin.php



If you have any other questions related to this, please contact the ViciDial
Group: http://www.vicidial.com