[DCA-2011-0011] [Discussion] - DcLabs Security Research Group advises about following vulnerability(ies): [Software] - Ocomon [Vendor Product Description] - The OCOMON came in March 2002 as a personal project of programmer Franque Custodio, with the initial characteristics of the registration, monitoring, control and consultation to support incidents and taking as the first user Centro Universitario La Salle (UNILASALLE). The starting at that time, the system was assumed by Flávio Ribeiro Support Analyst who has adopted the tool and since then has refined and implemented various features aiming to meet the practical issues, operational and managerial areas of technical support as Helpdesks and Service Desks (By Google Trasnlator) - Souce: http://ocomonphp.sourceforge.net/ [Advisory Timeline] - 04/Mar/2011 -> First notification sent. - 29/Mar/2011 -> Second notification sent - 05/Apr/2011 -> Third notification sent - 18/Apr/2011 -> No vendor response - 18/Apr/2011 -> Advisory published. [Bug Summary] - Multiple SQL Injection (SQLi) [Impact] - High [Affected Version] - Latest 2.0RC6 - Prior versions may also be affected [Bug Description and Proof of Concept] The proof of concept was demonstrated at WebSecurity Forum conference in SP - Brazil ------------------------------------------------------------------------ All flaws described here were discovered and researched by: Ewerson Guimaraes aka Crash. Rodrigo Escobar aka Ipax. Rener Alberto aka Gr1nch. This research was conducted in partnership with Emanuel do Reis - @emanueldosreis DcLabs Security Research Group [Workarounds] - No Workaround [Credits] DcLabs Security Research Group. -- Ewerson Guimaraes (Crash) Pentester/Researcher DcLabs Security Team www.dclabs.com.br