cbcvebase.
CVE-2013-4467
published 2014-03-11

CVE-2013-4467: Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1)…

PriorityP357medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
32.77%
98.1th percentile
Multiple SQL injection vulnerabilities in the agent interface (agc/) in VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allow (1) remote attackers to execute arbitrary SQL commands via the campaign variable in SCRIPT_multirecording_AJAX.php, (2) remote authenticated users to execute arbitrary SQL commands via the server_ip parameter to manager_send.php, or (3) other unspecified vectors. NOTE: some of these details are obtained from third party information.

Affected

3 ranges
VendorProductVersion rangeFixed in
vicidialvicidial<= 2.7
vicidialvicidial
vicidialvicidial

Detection & IOCsextracted from sources · hover to see the quote

path/agc/manager_send.php
path/agc/SCRIPT_multirecording_AJAX.php
path/agc/astguiclient.php
url/agc/manager_send.php?enable_sipsak_messages=1&allow_sipsak_messages=1&protocol=sip&ACTION=OriginateVDRelogin&server_ip=%27+OR+%271%27+%3D+%271
  • Detect GET requests to /agc/manager_send.php containing SQL injection pattern in the server_ip parameter (e.g., single-quote OR tautology) combined with ACTION=OriginateVDRelogin and enable_sipsak_messages=1.
  • Detect OS command injection in the 'extension' parameter of manager_send.php — payload is wrapped in semicolons (;cmd;), indicating shell command injection via PHP passthru().
  • Alert on authentication attempts to VICIdial using default credentials VDCL/donotedit or VDAD/donotedit, which are used to access the vulnerable injection point.
  • Monitor POST requests to /agc/astguiclient.php with login parameters (user, pass, phone_login, phone_pass) — used by the exploit to create a valid session when none exists.
  • Flag GET requests to /agc/manager_send.php that include both enable_sipsak_messages=1 and allow_sipsak_messages=1 query parameters, which are required by the exploit to reach the vulnerable code path.
  • ·A valid authenticated session is required to reach the command injection point in manager_send.php; however, the SQL injection in the server_ip parameter can be used to bypass the session check, making pre-auth exploitation feasible as long as at least one session has ever been created.
  • ·If no valid session exists in the database, the attacker must supply astGUIclient credentials to create one before exploitation; default astGUIclient credentials (6666/1234) are used by the Metasploit module.
  • ·The exploit payload is delivered via a GET request; Apache's GET limit (~8000 bytes) constrains payload size, which may affect large shellcode but is generally sufficient for command payloads.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.