This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **What is this?** SQL Injection in VICIDIAL. Affects `SCRIPT_multirecording_AJAX.php` (campaign param) & `manager_send.php` (server_ip param).β¦
π‘οΈ **Root Cause:** Poor input validation. π **Flaw:** The scripts fail to properly filter/sanitize the `campaign` and `server_ip` parameters before using them in SQL queries. CWE: SQL Injection.
Q3Who is affected? (Versions/Components)
π¦ **Affected:** VICIDIAL Dialer (Asterisk GUI client). π **Versions:** 2.7 and earlier. π’ **Vendor:** Vicidial Group. It's an open-source PBX/call center software.
Q4What can hackers do? (Privileges/Data)
π **Hackers' Power:** Execute arbitrary SQL commands. π **Impact:** Can read, modify, or delete database records. In severe cases, might lead to remote code execution via Metasploit modules.β¦
β οΈ **Threshold:** Medium. Requires access to the specific vulnerable scripts (`agc/` interface). Likely needs some level of access to the web interface, but exploitation is straightforward once there.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Public Exp?** YES. π **Proof:** Exploit-DB #29513 exists. π οΈ **Framework:** Metasploit module available (`vicidial_manager_send_cmd_exec.rb`). Wild exploitation is possible.
Q7How to self-check? (Features/Scanning)
π **Self-Check:** Scan for VICIDIAL versions <= 2.7. π **Target:** Check if `manager_send.php` and `SCRIPT_multirecording_AJAX.php` are accessible.β¦
π§ **No Patch?** 1. Restrict access to `agc/` directory. 2. Implement WAF rules to block SQL injection patterns in `server_ip`/`campaign` params. 3. Disable vulnerable scripts if not needed.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency:** HIGH. π¨ **Priority:** Critical. Public exploits and Metasploit modules exist. Call center data is sensitive. Patch immediately to prevent data breaches.